Overview

overview

10

Static

static

10

8e8b681842...5a.exe

windows7-x64

10

8e8b681842...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 12:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e8b6818423930eea073315743b788aef2f41198961946046b7b89042cb3f95a.exe

  • Size

    92KB

  • MD5

    9d919626f55b47d0766c219ba9b57d27

  • SHA1

    b58c2abea62887342118970ac4cb791765fd72bd

  • SHA256

    8e8b6818423930eea073315743b788aef2f41198961946046b7b89042cb3f95a

  • SHA512

    f901ed68683c481e09b5dbd52ed4d81cdac27711d9c104e933dfcb29a2f89a2c59e8f459fbe10df87c7d66356df2c985c727a0de5c64ca83ddf0205593046008

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4Aa362F8v3Fm6b+awACy3mMP6:Qw+asqN5aW/hLA362FSSuCvF

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email decrypt@europe.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: reservereserv@airmail.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

decrypt@europe.com

reservereserv@airmail.com

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (494) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e8b6818423930eea073315743b788aef2f41198961946046b7b89042cb3f95a.exe
    "C:\Users\Admin\AppData\Local\Temp\8e8b6818423930eea073315743b788aef2f41198961946046b7b89042cb3f95a.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3392
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:3588
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3084
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:6780
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:4912
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:6048
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:6484
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3648

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          1
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-3D3A2D13.[decrypt@europe.com].eur
            Filesize

            2.9MB

            MD5

            efc0e714c11e2b7f70ab0500fc75806d

            SHA1

            9b17cb97ea5b6b2b72b7b7ed9b88c992adb6b830

            SHA256

            7c61aa019eb24f8e14427cf2f17403b88a83ca9051251edf628c6e61e41bf0c5

            SHA512

            e54f460a3f6ca0cd3cf5652229e0cd18e7ab980430dbbbe99bb588482c621f53c74bf19fbd3a1cc4a6f15e14da99ba4311a54077ca204c6d714ba9d3961a272a

            Download Submit
          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            cb5ef469648b3ed82a81c873ecd30970

            SHA1

            14e88c8365e16ed9102643d7eeda4ed6dcde82af

            SHA256

            99b627aa250e49f0d97427b7621078abe06244611cecfd1d5db0a7fa529b5401

            SHA512

            d9c8b9a5866054d7c0dc8c22a4f2b1d0bcc30af741e7e96ac9e92b1b9cf9976560dd63831e6a26ddababfce28a5cfd0e6ca44b3bd7fcf38e9b5d4b933dcc8b92

            Download Submit