General
-
Target
HL_SW19806.zip
-
Size
10.9MB
-
Sample
240302-l7r25scf66
-
MD5
5011f37cf2b9ea0d1282f3a6621f48c6
-
SHA1
859c463ab0254fd5c7a6e8ec5f1770f20a5ac261
-
SHA256
9c58d02dbe89cc8edef1ed855673fc2fd2d6dfcff664d7c138404c9b788b60bc
-
SHA512
a698805d3db79846e18efe910ac98c77912ee650f2a843b1b8534597255ea24160d0b65336db376b099007981ad089db436695e6a9c4f8d24f7009d01fb1ff34
-
SSDEEP
196608:ZEPW6Ya4YKW9T8WA/9Z4RS5farycMJCnxeL7qGBrbp2OsYZ8hxpBhTdsjR:KPW6T8FXdfaxMJCxeL7Vp2GUxNBsjR
Static task
static1
Behavioral task
behavioral1
Sample
HLlib.dll
Resource
win11-20240221-en
Malware Config
Targets
-
-
Target
HLlib.dll
-
Size
7B
-
MD5
6629e06467507a1cec63e311e5bfef95
-
SHA1
01e9b7f87a4e1484293b5f688480740bc5251544
-
SHA256
af9323627c09003e6979528b9ec9c1ba8064d0e42103564d006ff205634823db
-
SHA512
a8cf7ba7d73a2428009d9f23ffddf8f9c4dced97f1d9f42dd839a7cd6da5cd9c942e3496acc95832853f9ae8650d039a79273d8e578d2e9658d738b8a0a88156
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Modifies WinLogon for persistence
-
Renames multiple (539) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets file execution options in registry
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1