Overview

overview

10

Static

static

3

553532c3bc...2d.exe

windows11-21h2-x64

10

Resubmissions

14-02-2024 03:46

240214-ebskgagb2t 10

14-02-2024 03:40

240214-d8m6kshc42 10

14-02-2024 03:37

240214-d6vgwafh5v 10

11-09-2020 08:09

200911-rexcktjp1n 10

Analysis

  • max time kernel
    300s
  • max time network
    285s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231222-en
  • resource tags

    arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-02-2024 03:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe

  • Size

    92KB

  • MD5

    b075d1e9bc442a09f38d91133cd8c900

  • SHA1

    8829d9ce9067abb421df21c24b31b5e0ffbf5ca6

  • SHA256

    553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d

  • SHA512

    047d0a3535b33e5058f14c4dee97434278327cd9ffe93b373f23ebbf8e5d02374a5af3526050fd78a1758ef67e95d24b403c5393a1cd9036302ae7eed5705957

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4AsVMbXwOstfc/EqcKBxAvhzvcR:Qw+asqN5aW/hLbwOstcMqckeK

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email backmydata@protonmail.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: backmydata@airmail.cc Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

backmydata@protonmail.com

backmydata@airmail.cc

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (541) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe
    "C:\Users\Admin\AppData\Local\Temp\553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:1984
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3316
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:6060
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:8240
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:3248
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:1940
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:7140
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3040
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4748
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:3972
          • C:\Windows\system32\werfault.exe
            werfault.exe /h /shared Global\99068f9cb22945abaaea2188ab53db4f /t 5996 /p 1940
            1⤵
              PID:1608
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
              1⤵
                PID:312
              • C:\Windows\system32\NOTEPAD.EXE
                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
                1⤵
                  PID:1048
                • C:\Windows\system32\werfault.exe
                  werfault.exe /h /shared Global\e9351b1883504f85a89c83590ff77d09 /t 8484 /p 7140
                  1⤵
                    PID:7060
                  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                    1⤵
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:7044
                  • C:\Windows\system32\BackgroundTransferHost.exe
                    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
                    1⤵
                    • Modifies registry class
                    PID:808
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:2388

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Initial Access

                    Execution

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Defense Evasion

                    Indicator Removal

                    2
                    T1070

                    File Deletion

                    2
                    T1070.004

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Unsecured Credentials

                    1
                    T1552

                    Credentials In Files

                    1
                    T1552.001

                    Discovery

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Data from Local System

                    1
                    T1005

                    Exfiltration

                    Command and Control

                    Impact

                    Inhibit System Recovery

                    2
                    T1490

                    Resource Development

                    Reconnaissance

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-7EBCEA55.[backmydata@protonmail.com].bmd
                      Filesize

                      2.9MB

                      MD5

                      9564b1a1e1cb840e5f02fc22efaed6d1

                      SHA1

                      dea002ababa1b2315c1c79e57bc8f79983b31db1

                      SHA256

                      da1d4e5cf12a102f96f2467c0e75403287fdc51b883c507dbb9453f3a2ade173

                      SHA512

                      a13992b11d54634949814b3b0ecea07a6835484f8bc6f368ca0044af9e46918089794a390aa1e8c1f8f79ad397043e63b2128986d42ebb11178f42d6b0255546

                      Download Submit
                    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                      Filesize

                      7KB

                      MD5

                      b9117839416e6c89f37baa5e8c26946d

                      SHA1

                      5de7aa1af507887451b08a6e8a8be7ace9e39b0a

                      SHA256

                      c423e96b72ab35cfafff6cd95e24470d65976b1fc56b15c643dc6d35a6e87364

                      SHA512

                      f106b4d608010088fd594b220a0ce041b2d3b3e094b8a06cf719782429f00930a1c16c2e8da7ce0c71022fbf8640c3ccb7e7218c721ae8a4d93cdf6255cb0621

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7548c0ce-37a9-4ebf-8524-39d810c2c975.down_data
                      Filesize

                      555KB

                      MD5

                      5683c0028832cae4ef93ca39c8ac5029

                      SHA1

                      248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                      SHA256

                      855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                      SHA512

                      aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt
                      Filesize

                      846KB

                      MD5

                      766f5efd9efca73b6dfd0fb3d648639f

                      SHA1

                      71928a29c3affb9715d92542ef4cf3472e7931fe

                      SHA256

                      9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

                      SHA512

                      1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

                      Download Submit
                    • C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
                      Filesize

                      234B

                      MD5

                      4a607bbccc5baf0269adf9256e842c15

                      SHA1

                      8191a4765a31abd9877476feea355ea0371e21f7

                      SHA256

                      9d8d5797eb18ddee240b754ddb4fc5cca1cfac0068c963a6ccbed931e507e42c

                      SHA512

                      3663875d951d3be17361b9f2d134ff14ccd8b48cdaba3c55eac12c17cba2d71e34a78a3ab2cd8f3feb4f8e88d06ed4e719295bc466df29e8812bbd41d08116c7

                      Download Submit