dharma | 72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2

General

Target

30e1234ef3e570667526fdb006832b12.exe
Size

913KB
MD5

30e1234ef3e570667526fdb006832b12
SHA1

01de8ba945945b58824f69553ac0f7b048645d45
SHA256

72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2
SHA512

00bd673f43cba1b16363433e672b30d22196fa0b67c024f970da15270323e545d15b3b990ed1dbbc3e7b9421c3f7840b10621c76203f89e0bcb1214e2a129e4e
SSDEEP

24576:Utp7PNBIIr2i1VzBPZYpoEjH2NzQufi9Re+SfM+:uPSiJP+BH2NQufire+SfM+

Score

10^/10

dharma discovery evasion ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Renames multiple (4102) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2156 icacls.exe

pid	process
2156	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

30e1234ef3e570667526fdb006832b12.exe

description	ioc	process
File opened (read-only)	\??\M:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\R:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\V:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\X:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\G:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\K:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\B:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\Q:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\Z:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\I:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\L:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\H:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\J:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\O:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\P:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\T:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\W:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\F:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\E:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\S:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\U:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\Y:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\N:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\A:	30e1234ef3e570667526fdb006832b12.exe

Drops file in Program Files directory 64 IoCs

Processes:

30e1234ef3e570667526fdb006832b12.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196110.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00200_.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00814_.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hebron.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_02.MID.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\DisableSkip.html.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\jmxremote.access.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00117_.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00233_.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198372.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Athens.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tahiti.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107516.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.id-79286055.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2796 schtasks.exe
2744 schtasks.exe
2968 schtasks.exe
2416 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2012 taskkill.exe
2648 taskkill.exe

pid	process
2796	schtasks.exe
2744	schtasks.exe
2968	schtasks.exe
2416	schtasks.exe

pid	process
2012	taskkill.exe
2648	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

30e1234ef3e570667526fdb006832b12.exe

pid	process
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe
2228	30e1234ef3e570667526fdb006832b12.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2648 taskkill.exe
Token: SeDebugPrivilege 2012 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

30e1234ef3e570667526fdb006832b12.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2228 wrote to memory of 2776	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2776	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2776	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2776	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2776 wrote to memory of 2416	2776	cmd.exe	schtasks.exe
PID 2776 wrote to memory of 2416	2776	cmd.exe	schtasks.exe
PID 2776 wrote to memory of 2416	2776	cmd.exe	schtasks.exe
PID 2776 wrote to memory of 2416	2776	cmd.exe	schtasks.exe
PID 2228 wrote to memory of 2280	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2280	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2280	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2280	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2328	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2328	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2328	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2328	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2740	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2740	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2740	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2740	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2740 wrote to memory of 2796	2740	cmd.exe	schtasks.exe
PID 2740 wrote to memory of 2796	2740	cmd.exe	schtasks.exe
PID 2740 wrote to memory of 2796	2740	cmd.exe	schtasks.exe
PID 2740 wrote to memory of 2796	2740	cmd.exe	schtasks.exe
PID 2228 wrote to memory of 2808	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2808	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2808	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2808	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2808 wrote to memory of 2816	2808	cmd.exe	attrib.exe
PID 2808 wrote to memory of 2816	2808	cmd.exe	attrib.exe
PID 2808 wrote to memory of 2816	2808	cmd.exe	attrib.exe
PID 2808 wrote to memory of 2816	2808	cmd.exe	attrib.exe
PID 2228 wrote to memory of 3016	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 3016	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 3016	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 3016	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 3016 wrote to memory of 2744	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 2744	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 2744	3016	cmd.exe	schtasks.exe
PID 3016 wrote to memory of 2744	3016	cmd.exe	schtasks.exe
PID 2228 wrote to memory of 2336	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2336	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2336	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2336	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2336 wrote to memory of 2968	2336	cmd.exe	schtasks.exe
PID 2336 wrote to memory of 2968	2336	cmd.exe	schtasks.exe
PID 2336 wrote to memory of 2968	2336	cmd.exe	schtasks.exe
PID 2336 wrote to memory of 2968	2336	cmd.exe	schtasks.exe
PID 2228 wrote to memory of 2632	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2632	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2632	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2632	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2632 wrote to memory of 2728	2632	cmd.exe	attrib.exe
PID 2632 wrote to memory of 2728	2632	cmd.exe	attrib.exe
PID 2632 wrote to memory of 2728	2632	cmd.exe	attrib.exe
PID 2632 wrote to memory of 2728	2632	cmd.exe	attrib.exe
PID 2228 wrote to memory of 2820	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2820	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2820	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2228 wrote to memory of 2820	2228	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2820 wrote to memory of 2760	2820	cmd.exe	attrib.exe
PID 2820 wrote to memory of 2760	2820	cmd.exe	attrib.exe
PID 2820 wrote to memory of 2760	2820	cmd.exe	attrib.exe
PID 2820 wrote to memory of 2760	2820	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2760 attrib.exe
2816 attrib.exe
2728 attrib.exe

pid	process
2760	attrib.exe
2816	attrib.exe
2728	attrib.exe

C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe
"C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
- Drops startup file
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
3⤵
- Creates scheduled task(s)
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /F
3⤵
- Creates scheduled task(s)
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s harma.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\attrib.exe
attrib +h +s harma.exe
3⤵
- Views/modifies file attributes
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\attrib.exe
attrib +h +s C:\ProgramData\harma.exe
3⤵
- Views/modifies file attributes
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
PID:2656

C:\Windows\SysWOW64\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:2624

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV
2⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB
2⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma
2⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV
2⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"
2⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:524

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1920

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HRMPRIV
Filesize
2KB

MD5
7c107d9b098e33a04bfeccb44fbf702e

SHA1
0583738ed9ef3375038292a3aa4c1c7e7b97e44e

SHA256
cd0ba3a1dfd53b2019e78f937937e78fa3481328b8b6c111982cd28357e5c310

SHA512
b457e07c56a5b2f28d0890d4ceaeb5605406d2f806717b38c8bec5eb10d821ce6fa2b612cea95e41a9ec761bea3ea8d173677712e876bb5c722107153f60b4d7

Download Submit
C:\ProgramData\harma.exe
Filesize
913KB

MD5
30e1234ef3e570667526fdb006832b12

SHA1
01de8ba945945b58824f69553ac0f7b048645d45

SHA256
72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2

SHA512
00bd673f43cba1b16363433e672b30d22196fa0b67c024f970da15270323e545d15b3b990ed1dbbc3e7b9421c3f7840b10621c76203f89e0bcb1214e2a129e4e

Download Submit
C:\ProgramData\id.harma
Filesize
8B

MD5
2c487fadba9fe41178c3206009e098be

SHA1
ac6edfa29014d4fe1518ad422ba9e6149a596d57

SHA256
44040e482ffbfe30d6b288a113a6f16998e8cb281b991fdc632a7bf57671065e

SHA512
7d003ec43f75f08197c246e2364f576f453f1b78e4fc3d4a4ad2271c4e1b205aa961ac43070c0bebc11b9bb126d283d93f9c93e0773033309afef5832d0db7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRMPUB
Filesize
292B

MD5
24da1445244b35f9f96825d6d5ac2d4b

SHA1
a7ac4cd7fb3d86ae1f3171fb2b91a7f0c71ec276

SHA256
42076e5df8ff25d78fea600636b9f70163bb866e29b725b4fe5cdbbe7bb205a5

SHA512
fdae6de128e49d29437f93e73b9a330f369b7212e5e2eb8b1d76ec7142408be0cc81e3a3adfc916f461a7de37da329aaaa66b60974c20dde2222af547bccb794

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads