Overview

overview

10

Static

static

3

samples4.zip

windows7-x64

1

samples4.zip

windows10-2004-x64

1

0e60d49a96...01.exe

windows7-x64

0e60d49a96...01.exe

windows10-2004-x64

1ce5dd21fb...1e.exe

windows7-x64

10

1ce5dd21fb...1e.exe

windows10-2004-x64

10

3c73425d02...e6.exe

windows7-x64

6

3c73425d02...e6.exe

windows10-2004-x64

6

5df6314b5c...5b.exe

windows7-x64

10

5df6314b5c...5b.exe

windows10-2004-x64

10

5ee5166c02...93.exe

windows7-x64

10

5ee5166c02...93.exe

windows10-2004-x64

10

5f7cdd8c28...02.exe

windows7-x64

7

5f7cdd8c28...02.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3/5df6314b5c6f6bd151a5fda104d32655c5b.exe

  • Size

    4.5MB

  • MD5

    407ba61bab1c10cabf0b5a7c40d43041

  • SHA1

    82d180dc50763c6a71f8449ef44e467afbc09e74

  • SHA256

    5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3

  • SHA512

    73bd51f5885587ec5c930d4ab0cd543b9b0479304c4a3c03d73abdd7b064a2ec4e8b01af45f7517072ce12daa2cfb679589603060438bfafa331a0b66b926f4a

  • SSDEEP

    98304:BD9WybBsIt6XW7JD9ENTPZsz3yilw5OLEvvybN/aBDPsfut6e:BxWaBhP719CCzC2EO4vvyb5a1mu0e

Score
10/10
dharmaevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message CE303D24 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Renames multiple (314) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3\5df6314b5c6f6bd151a5fda104d32655c5b.exe
    "C:\Users\Admin\AppData\Local\Temp\5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3\5df6314b5c6f6bd151a5fda104d32655c5b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops startup file
    • Identifies Wine through registry keys
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2480
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1652
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:3256
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:3372
  • C:\Windows\system32\mode.com
    mode con cp select=1251
    1⤵
      PID:1812
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      1⤵
      • Interacts with shadow copies
      PID:2796
    • C:\Windows\system32\mode.com
      mode con cp select=1251
      1⤵
        PID:3888
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        1⤵
        • Interacts with shadow copies
        PID:2680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-CE303D24.[[email protected]].bip
        Filesize

        2.0MB

        MD5

        035787671e2bb43ea8b4e442717a829c

        SHA1

        4bc73e2d2f2eac14a29ce2f9623c5e29cadb40b2

        SHA256

        e187e1448ba2d84150dfbde0d9a474814b6fbb5f29562c49aea2501293cff3b4

        SHA512

        df5baee054747cafeec9a01ae51abcf3c7af2a78f73e2903deff05062dd7a26e04a4e8b0ff04473c77e0c944c3dc2128b610c13bbc70184e918e4105e1d56162

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
        Filesize

        13KB

        MD5

        38864ff9c022b74cbd17765b791a967a

        SHA1

        ab54266251358643d4a99937e50f9dee8555a67f

        SHA256

        ac4b10173ce3d701b7f17f9171f2322a9b6d2915edd5ee00130042961ebc5c5a

        SHA512

        dba43b08b9db1267dc033635290edb0e970403f546198d8a22b75cfb6d7c6bd9ab8facd1f852a17922867b723e5c8c9a28827b2405a416a31f1039668579bede

        Download Submit

      • memory/1792-0-0x0000000000400000-0x0000000000B54000-memory.dmp

        Filesize

        7.3MB

        Download

      • memory/1792-1-0x0000000077C20000-0x0000000077C22000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1792-8-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1792-7-0x0000000000400000-0x0000000000B54000-memory.dmp

        Filesize

        7.3MB

        Download

      • memory/1792-11017-0x0000000000400000-0x0000000000B54000-memory.dmp

        Filesize

        7.3MB

        Download

      • memory/3372-20223-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

        Filesize

        64KB

        Download