Overview

overview

10

Static

static

3

0f2c468593...cc.exe

windows7-x64

10

0f2c468593...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f2c4685932a74e8a7bd4733ceea0fcc.exe

  • Size

    92KB

  • MD5

    0f2c4685932a74e8a7bd4733ceea0fcc

  • SHA1

    51201bbf3d9b532d8882a4cda4fa40f35d093179

  • SHA256

    b0817a23a0189f43f8ceeb9899ade839f07da58dcf5a522d563c15382fba305a

  • SHA512

    c397d75914c49eba7725f886845aa8a6b02cfbbaef59f858507b0ebce836aafb9743bafd2f409097ec45eb68e0c333cfda0fc0607b37ddbbaca6c23e2f73d461

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4A+owcTqXrUMW/E4RwlROQA1d2x3u:Qw+asqN5aW/hL0X6wbmd2x3u

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email itteam122@aol.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: itteam122@techmail.info Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

itteam122@aol.com

itteam122@techmail.info

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (496) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f2c4685932a74e8a7bd4733ceea0fcc.exe
    "C:\Users\Admin\AppData\Local\Temp\0f2c4685932a74e8a7bd4733ceea0fcc.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5396
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:3816
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:7136
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:8972
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:7644
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:3172
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:4600
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:6536
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4708

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          1
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-F261DA6F.[itteam122@aol.com].ROGER
            Filesize

            2.3MB

            MD5

            123dfcf40ef47fd7b66514c0d18da067

            SHA1

            fac8a079d286d2413e49267e5b78669391431a93

            SHA256

            1543ba18562448fefbbdb7595f9cd5d8d605d138cfdc54ba746cff0a0acb1763

            SHA512

            6d40fdf41a3b067740cc62e9d5a36ef574d6f654309c6d65a8da2da622b6a48d56a3e279654dceeb7d8046946eb4a650b1e08bad429c4d34d516d99bb4c0d62b

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            4815a90b3a73346f276feacb0fd775c4

            SHA1

            a16d2f56062e0af0cc4c6741141c062131a562d3

            SHA256

            1b6cde0723379d14dc45dcc358f7a59e9ce35d487a2f5243a2a8ca113b26bef0

            SHA512

            96c9fc7cf07c7da3d44d2f339fb66e94f0275cec8b06199a713ff94c599ed5d03497c10a943efacf0affcecfb1ecd934c55c6b4609ba78b46cc78981741d8827

            Download Submit