Overview

overview

10

Static

static

3

2024-01-11...ma.exe

windows7-x64

10

2024-01-11...ma.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    2s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2024 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

  • Size

    92KB

  • MD5

    0197eb32a39518adbc118ec0559a395c

  • SHA1

    c81f411cb16e5692f7ea92eebb7f4120e4ad4129

  • SHA256

    5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22

  • SHA512

    97402aa309817bb12aa016b5d151158d3ea6bd5aee153ac726e66fda25f61e4dd6ae9a1274daba4eaab0a253bad3d38af2a04012cba0bdb9af0ef5ce209559d5

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4AR2DAQHPPyHn2OzT3R46F7pcwwTXO:Qw+asqN5aW/hL+v+Xl7l

Score
10/10
dharmapersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! Don't worry, you can return all your files! If you want to restore them, write to the mail: aerossh@cock.li YOUR ID aerossh@proton.me Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

aerossh@cock.li

aerossh@proton.me

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:928
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:6716
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
          PID:6288
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:8520
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:8516
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
              PID:3196
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              1⤵
                PID:8136
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                1⤵
                • Interacts with shadow copies
                PID:6080

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Indicator Removal

              2
              T1070

              File Deletion

              2
              T1070.004

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Inhibit System Recovery

              2
              T1490

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-C0905367.[aerossh@nerdmail.co].AeR
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                Filesize

                4KB

                MD5

                20a69f1a6d158008842397905e9ea5e2

                SHA1

                35050d5a90e0b15863874f0b3ea54c725a13067e

                SHA256

                6a82ec020929c089dae8c2961ad0d435925824f26d5a7a988c86931e7271fd2e

                SHA512

                37e9ab15ee4c0643c744207d8c79a603693133fd78a9de29f8abd4c25beb4efa23f1f9f857ca2abc52fd9df918ef24fd8b7221897c8cccd4b6dff64c46ec5969

                Download Submit