Overview

overview

10

Static

static

3

1705aa5fa7...a1.exe

windows7-x64

10

1705aa5fa7...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    25-02-2024 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1705aa5fa77ee0e563073c266fe570d324ba1adf6f9f26a8ed0e908773f046a1.exe

  • Size

    507KB

  • MD5

    0ab47cd53a26a51152d973210faf75e6

  • SHA1

    af3b11c1c9b28122514eb563be62842c0cee9dd8

  • SHA256

    1705aa5fa77ee0e563073c266fe570d324ba1adf6f9f26a8ed0e908773f046a1

  • SHA512

    d692a9bb955bafbcda7f1f6021e6c43cd8a8a03a1136d3e213cda9cba7d97906ed799b114eb39f95fbb17b5721b83d38b65f30589370193f7a2636dfa4350d54

  • SSDEEP

    12288:yRzQp4CmtvyFfdGSL33Q4FIb2fBGohp5h:ibPl3M33jfAon5

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail MerlinWebster@aol.com Write this ID in the title of your message DF960DD3 In case of no answer in 24 hours write us to theese e-mails: MerlinWebster@aol.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

MerlinWebster@aol.com

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Detects win.dharma. 1 IoCs
  • Identifies DHARMA ransomware 4 IoCs
  • Renames multiple (311) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1705aa5fa77ee0e563073c266fe570d324ba1adf6f9f26a8ed0e908773f046a1.exe
    "C:\Users\Admin\AppData\Local\Temp\1705aa5fa77ee0e563073c266fe570d324ba1adf6f9f26a8ed0e908773f046a1.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\AppData\Local\Temp\1705aa5fa77ee0e563073c266fe570d324ba1adf6f9f26a8ed0e908773f046a1.exe
      C:\Users\Admin\AppData\Local\Temp\1705aa5fa77ee0e563073c266fe570d324ba1adf6f9f26a8ed0e908773f046a1.exe
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          4⤵
            PID:2468
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1536
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\Windows\system32\mode.com
            mode con cp select=1251
            4⤵
              PID:3052
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:2584
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            3⤵
            • Modifies Internet Explorer settings
            PID:1172
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            3⤵
            • Modifies Internet Explorer settings
            PID:2588
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2988

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      2
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-DF960DD3.[MerlinWebster@aol.com].harma
        Filesize

        554KB

        MD5

        61c4faa6e6cba69f5ba0700f11c923be

        SHA1

        a5993c7191ed50d148f27f4bf105b21a68aa5a75

        SHA256

        56bbdc2eee48b81c6755a9d957cb807e04626a769058af256f709b88383f0aa9

        SHA512

        4e0401d412b4423876446647c7d58271ec2a88a5fa02f10437bfdad6ebfec4fb6d6db5510f4093ccdcac08710e88a90dfcb77ec09742a4b397bb52832ef5f550

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.lnk
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
        Filesize

        13KB

        MD5

        58e02776e2c486dcf05fd8cd060fa7dd

        SHA1

        e91e651b6fd0d2b42bfc93a0250a65df9018a0cc

        SHA256

        6e770a84891fe593a6cddb28fe4c12390e078949219b2c59975d337dd47ac6cd

        SHA512

        faa5ba9323987a24fc16a25cefcec84a61e1e38cacb39f331958a9fbb3828d9cc0945528afe2950436f8fdb4b54c458d89a12a0ccfd3c027f586ce2f11f23634

        Download Submit
      • memory/1172-20201-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1280-0-0x0000000000400000-0x0000000000484000-memory.dmp
        Filesize

        528KB

        Download
      • memory/1280-2-0x0000000001E70000-0x0000000001E90000-memory.dmp
        Filesize

        128KB

        Download
      • memory/1280-3-0x0000000001E70000-0x0000000001E90000-memory.dmp
        Filesize

        128KB

        Download
      • memory/2600-16151-0x0000000000400000-0x0000000000419000-memory.dmp
        Filesize

        100KB

        Download