Overview

overview

10

Static

static

3

0f2c468593...cc.exe

windows7-x64

10

0f2c468593...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2023 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f2c4685932a74e8a7bd4733ceea0fcc.exe

  • Size

    92KB

  • MD5

    0f2c4685932a74e8a7bd4733ceea0fcc

  • SHA1

    51201bbf3d9b532d8882a4cda4fa40f35d093179

  • SHA256

    b0817a23a0189f43f8ceeb9899ade839f07da58dcf5a522d563c15382fba305a

  • SHA512

    c397d75914c49eba7725f886845aa8a6b02cfbbaef59f858507b0ebce836aafb9743bafd2f409097ec45eb68e0c333cfda0fc0607b37ddbbaca6c23e2f73d461

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4A+owcTqXrUMW/E4RwlROQA1d2x3u:Qw+asqN5aW/hL0X6wbmd2x3u

Score
10/10
dharmapersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email itteam122@aol.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: itteam122@techmail.info Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

itteam122@aol.com

itteam122@techmail.info

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f2c4685932a74e8a7bd4733ceea0fcc.exe
    "C:\Users\Admin\AppData\Local\Temp\0f2c4685932a74e8a7bd4733ceea0fcc.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4380
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:1020
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:5560
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
          PID:4264
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:272
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:6124
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
              PID:7908
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              1⤵
                PID:8880
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                1⤵
                • Interacts with shadow copies
                PID:6320

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Indicator Removal

              2
              T1070

              File Deletion

              2
              T1070.004

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Inhibit System Recovery

              2
              T1490

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-E0612F7C.[itteam122@aol.com].ROGER
                Filesize

                9KB

                MD5

                9f298ed6d8263431d7b04baa678a3682

                SHA1

                a4decca197d5d07edba022b57e953e7adf626642

                SHA256

                2fed0fabf6ae409d105411e456b75271312aa9a5b1333dc260f0e1ab150cc6f8

                SHA512

                23c2bdefaff7f958cc8682c15ee114a1f614fb71eab5c042d122345e06006c23a68ab8046e89bdeed4b897d21f2646354147e15c1a6ef4f0915ad5da30ff90f2

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                Filesize

                7KB

                MD5

                fb982740276921d47692c8b5a1eeb221

                SHA1

                2bef63c27f6c6ccdf8cba0b4e207db7328f13440

                SHA256

                9a86eced34a395fb0709dec13ed94c8c6e9fb2e0f1b8ea3bfd3397e338936229

                SHA512

                6f9a76e6cb4aa5a57a71b43aa3a6d6693ccd8e02f9864ac87c2327fd92201fb4ffa4885e484eec83a16733b44f3ecc3ec31239950995f674ce979c7213f20cf5

                Download Submit