Overview

overview

10

Static

static

3

553532c3bc...2d.exe

windows7-x64

10

Resubmissions

14-02-2024 03:46

240214-ebskgagb2t 10

14-02-2024 03:40

240214-d8m6kshc42 10

14-02-2024 03:37

240214-d6vgwafh5v 10

11-09-2020 08:09

200911-rexcktjp1n 10

Analysis

  • max time kernel
    251s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    14-02-2024 03:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe

  • Size

    92KB

  • MD5

    b075d1e9bc442a09f38d91133cd8c900

  • SHA1

    8829d9ce9067abb421df21c24b31b5e0ffbf5ca6

  • SHA256

    553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d

  • SHA512

    047d0a3535b33e5058f14c4dee97434278327cd9ffe93b373f23ebbf8e5d02374a5af3526050fd78a1758ef67e95d24b403c5393a1cd9036302ae7eed5705957

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4AsVMbXwOstfc/EqcKBxAvhzvcR:Qw+asqN5aW/hLbwOstcMqckeK

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email backmydata@protonmail.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: backmydata@airmail.cc Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

backmydata@protonmail.com

backmydata@airmail.cc

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (310) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe
    "C:\Users\Admin\AppData\Local\Temp\553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:2120
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2804
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:3856
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:3680
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:3172
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:3940
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2276
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4e4
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4064
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
        1⤵
          PID:1648

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Indicator Removal

        2
        T1070

        File Deletion

        2
        T1070.004

        Modify Registry

        2
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        2
        T1490

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-B103DB0C.[backmydata@protonmail.com].bmd
          Filesize

          23.5MB

          MD5

          607cbfa8a3d113bc66f6b87c0a152f0b

          SHA1

          109b86dec24b7d444d7b67bb14d2f5b5e8b97cb1

          SHA256

          6c5313280adde56f87a4546d83f0797dd7dce1bfcf651a127682abe243ebf167

          SHA512

          defe0c97e9c6c9fd796330b2df6e47a877b539ef3dcfb8270f67f91b866f32cff657b21dbeda4042b1fff54ed74b135d9ccb12db260107a6ad5456a0bf755715

          Download Submit
        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
          Filesize

          7KB

          MD5

          9fafd4b4c9278d1eb2f244cc2a3694a8

          SHA1

          0212ee275c4f52c4388338df25c941febf08bb04

          SHA256

          d6cd25bbefe9c09318564921f68bab405effde429ec00059af10f4a3417fddb9

          SHA512

          a2950b5ccd29bc9b234a79356d355b4dea282a4d9b0c397313291ae0ef4e9493483d46aa6417050fffd944c789016d7451a5994bb7d0b6d54077cba79230d9aa

          Download Submit
        • C:\Users\Public\Desktop\FILES ENCRYPTED.txt
          Filesize

          234B

          MD5

          4a607bbccc5baf0269adf9256e842c15

          SHA1

          8191a4765a31abd9877476feea355ea0371e21f7

          SHA256

          9d8d5797eb18ddee240b754ddb4fc5cca1cfac0068c963a6ccbed931e507e42c

          SHA512

          3663875d951d3be17361b9f2d134ff14ccd8b48cdaba3c55eac12c17cba2d71e34a78a3ab2cd8f3feb4f8e88d06ed4e719295bc466df29e8812bbd41d08116c7

          Download Submit