Overview

overview

10

Static

static

1

HLlib.dll

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HL_SW19806.zip

  • Size

    10.9MB

  • Sample

    240302-l7r25scf66

  • MD5

    5011f37cf2b9ea0d1282f3a6621f48c6

  • SHA1

    859c463ab0254fd5c7a6e8ec5f1770f20a5ac261

  • SHA256

    9c58d02dbe89cc8edef1ed855673fc2fd2d6dfcff664d7c138404c9b788b60bc

  • SHA512

    a698805d3db79846e18efe910ac98c77912ee650f2a843b1b8534597255ea24160d0b65336db376b099007981ad089db436695e6a9c4f8d24f7009d01fb1ff34

  • SSDEEP

    196608:ZEPW6Ya4YKW9T8WA/9Z4RS5farycMJCnxeL7qGBrbp2OsYZ8hxpBhTdsjR:KPW6T8FXdfaxMJCxeL7Vp2GUxNBsjR

Score
10/10
dharmaevasionpersistenceransomwarespywarestealertrojan

Malware Config

Targets

    • Target

      HLlib.dll

    • Size

      7B

    • MD5

      6629e06467507a1cec63e311e5bfef95

    • SHA1

      01e9b7f87a4e1484293b5f688480740bc5251544

    • SHA256

      af9323627c09003e6979528b9ec9c1ba8064d0e42103564d006ff205634823db

    • SHA512

      a8cf7ba7d73a2428009d9f23ffddf8f9c4dced97f1d9f42dd839a7cd6da5cd9c942e3496acc95832853f9ae8650d039a79273d8e578d2e9658d738b8a0a88156

    Score
    10/10
    dharmaevasionpersistenceransomwarespywarestealertrojan

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (539) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Sets file execution options in registry

      persistence

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

6
T1112

Impair Defenses

3
T1562

Disable or Modify Tools

2
T1562.001

Disable or Modify System Firewall

1
T1562.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

3
T1490

Resource Development

Reconnaissance

Tasks