dharma | a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b

Resubmissions

23-10-2023 21:58

231023-1vlrxsgc2w 10

28-12-2022 20:03

221228-ys52nsbd89 10

28-12-2022 19:41

221228-yej72sbd64 10

28-12-2022 19:27

221228-x569tsbd43 10

Analysis

max time kernel
156s
max time network
121s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
23-10-2023 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dharma.exe
Size

677KB
MD5

2d4ec86793fec1e10ac8fb617b2dcdbd
SHA1

078df2b23e7e24f2397532f9ec2694191fd9cc20
SHA256

a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b
SHA512

1e15b4c910532ed36cf3adf605f744784224ceaa815e71588fb521f0e7b76975dc37889e6c8ac2e1c888060eda2380850c8877a801c74e222db043715719c5de
SSDEEP

12288:5IODa1GPYOBsDMOUaIQpGyEV3T5W241YcWEhpEdVe1/4vS1ZoYGIRUafy5LT+0w:5IO+aYxHjpYT5s1YcWEhpEdVe1/4vS1T

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 13E47558 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (438) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dharma.exe	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	dharma.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-13E47558.[[email protected]].money	dharma.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	dharma.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dharma.exe = "C:\\Windows\\System32\\dharma.exe"	dharma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	dharma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	dharma.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	dharma.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	dharma.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1534848907-968546671-3000393597-1000\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	dharma.exe
File opened for modification	C:\Program Files\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	dharma.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	dharma.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1534848907-968546671-3000393597-1000\desktop.ini	dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	dharma.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	dharma.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\dharma.exe	dharma.exe
File created	C:\Windows\System32\Info.hta	dharma.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 3740	2720	dharma.exe	71

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.id-13E47558.[[email protected]].money	dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nl_135x40.svg.id-13E47558.[[email protected]].money	dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PowerShell.PackageManagement.dll.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotContain.snippets.ps1xml	dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.id-13E47558.[[email protected]].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_32x32x32.png	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_zh_cn_135x40.svg.id-13E47558.[[email protected]].money	dharma.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Medium.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\hk_60x42.png	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.id-13E47558.[[email protected]].money	dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-125.png	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\standards_poster.png.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.44828b84.pri	dharma.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js	dharma.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\psuser.dll	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tiles\pyramid.jpg	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\SmallTile.scale-200.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\PRISTINA.TTF.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-100.png	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png	dharma.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM.id-13E47558.[[email protected]].money	dharma.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\toivo.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\st_16x11.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-400.png	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.id-13E47558.[[email protected]].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.id-13E47558.[[email protected]].money	dharma.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js	dharma.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	dharma.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_contrast-black.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\aquarium.mobile.jpg	dharma.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\In.ps1	dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-48.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL	dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-utility-l1-1-0.dll.id-13E47558.[[email protected]].money	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.scale-100.png	dharma.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-100.png	dharma.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3968	vssadmin.exe
5968	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe
3740	dharma.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 3740	2720	dharma.exe	71
PID 2720 wrote to memory of 3740	2720	dharma.exe	71
PID 2720 wrote to memory of 3740	2720	dharma.exe	71
PID 2720 wrote to memory of 3740	2720	dharma.exe	71
PID 3740 wrote to memory of 2100	3740	dharma.exe	72
PID 3740 wrote to memory of 2100	3740	dharma.exe	72
PID 2100 wrote to memory of 3912	2100	cmd.exe	74
PID 2100 wrote to memory of 3912	2100	cmd.exe	74
PID 2100 wrote to memory of 3968	2100	cmd.exe	75
PID 2100 wrote to memory of 3968	2100	cmd.exe	75
PID 3740 wrote to memory of 3000	3740	dharma.exe	81
PID 3740 wrote to memory of 3000	3740	dharma.exe	81
PID 3000 wrote to memory of 6348	3000	cmd.exe	83
PID 3000 wrote to memory of 6348	3000	cmd.exe	83
PID 3000 wrote to memory of 5968	3000	cmd.exe	84
PID 3000 wrote to memory of 5968	3000	cmd.exe	84
PID 3740 wrote to memory of 6392	3740	dharma.exe	85
PID 3740 wrote to memory of 6392	3740	dharma.exe	85
PID 3740 wrote to memory of 6172	3740	dharma.exe	86
PID 3740 wrote to memory of 6172	3740	dharma.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dharma.exe
"C:\Users\Admin\AppData\Local\Temp\dharma.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\dharma.exe
  C:\Users\Admin\AppData\Local\Temp\dharma.exe
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:3912
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3968
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:6348
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:5968
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:6392
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:6172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-13E47558.[[email protected]].money

Filesize
2.9MB

MD5
3045a95a947a0d3e7386b3be71d38b05

SHA1
b7e14edf23970838f8f922eee06416bf6a547c1e

SHA256
35414b5c635ff4e88b83fe3aace0843dcd498a8a301924a7521117ea7d93c391

SHA512
97e68acec2b25fe9321654dbd45a4ea5871962883a16dd68284244b462fcd867b2000ba449c638910508243299a863b63976e6aa11baebcedb4392416e1be985

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
13KB

MD5
51c431aba6cc9ce60f5d1858e0718e1c

SHA1
abc89d87a8a5ed9e90b521f28138597ee01b966c

SHA256
7548f1c39e51119d0931168eb36fe865f7d45139aef9e04acdbbffa150313fcf

SHA512
99511576bedfe9ae2664a27e0a18b2cbe2bb43ea5f7dff3cdff673b911aefdc2b31b10b3e2e24ee82183bf876fd3fd76e3081cdd878ac3f1b3deba95a3f7723c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
13KB

MD5
51c431aba6cc9ce60f5d1858e0718e1c

SHA1
abc89d87a8a5ed9e90b521f28138597ee01b966c

SHA256
7548f1c39e51119d0931168eb36fe865f7d45139aef9e04acdbbffa150313fcf

SHA512
99511576bedfe9ae2664a27e0a18b2cbe2bb43ea5f7dff3cdff673b911aefdc2b31b10b3e2e24ee82183bf876fd3fd76e3081cdd878ac3f1b3deba95a3f7723c

Download Submit
memory/2720-18-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-10-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-5-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-6-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-19-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-9-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-8-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-20-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-11-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-21-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-13-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-14-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-15-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-16-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-17-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-0-0x0000000002BA0000-0x0000000002BD3000-memory.dmp

Filesize
204KB

Download
memory/2720-7-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-4-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-12-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-22-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-23-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-24-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-25-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-26-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-27-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-28-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-29-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-30-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-31-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-35-0x0000000002BA0000-0x0000000002BD3000-memory.dmp

Filesize
204KB

Download
memory/2720-3-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2720-1-0x0000000002BA0000-0x0000000002BD3000-memory.dmp

Filesize
204KB

Download
memory/2720-2-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3740-5413-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download