dharma | 249bd41de9fc96914e98d104dd50d6e4a8184e6bba932ff394c1fe9d0c0f61dc | Triage

Sharing

General

Target

230916-vxxdjsfa22_pw_infected.zip.zip
Size

212KB
Sample

240316-s9jl4sea7x
MD5

5063226e561df8ac092e543ae72030fc
SHA1

2c02f6dcfe30a92c829e373c1cd24f106f6bb20e
SHA256

249bd41de9fc96914e98d104dd50d6e4a8184e6bba932ff394c1fe9d0c0f61dc
SHA512

04afa73d7d67456312dfccabc352af624c8242cf4030b18b3daf87429f96d082a0740db9eab519a307b013336a6adc444c142204b1098e67b2b41f7d3e5d547a
SSDEEP

6144:dnYHmMlUAWt4M48zyliwJA/oIfcm20BbTc:F5MlR3qWlik60m9Tc

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Targets

- Target
  
  52b973c029f230ba1049d1438ff7a960exe_JC.exe
- Size
  
  440KB
- MD5
  
  52b973c029f230ba1049d1438ff7a960
- SHA1
  
  c7c8790cd93463fea65921abfb44a5ed81788ab5
- SHA256
  
  a8987722e326199edfa57b05912e962115d7e408ece800b53ed84a78d6a195a6
- SHA512
  
  7b3b7aff02e7e15c557c618abfd243bb3b6510914aa8b2ea1eef76186c2ef7045a3848cded0b4530c67c113824c5b066fbca18df0f8a09e3e76795947d458605
- SSDEEP
  
  6144:LQkAFTZe+DD2/wNvGaNgmQPzSI58KP0Pt8piGijRTGJd9jB:kTFTZFDGwtGigBFeKP0Pt+iGEMTd
Score

10^/10

dharma persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (291) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Inhibit System Recovery

Tasks

static1

behavioral1

dharmapersistenceransomwarespywarestealer

behavioral2

dharmapersistenceransomwarespywarestealer

behavioral3

dharmapersistenceransomwarespywarestealer

behavioral4

dharmapersistenceransomwarespywarestealer