Overview

overview

10

Static

static

3

42732ad450...bc.exe

windows7-x64

10

42732ad450...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42732ad450696b816913753fa9f53b52ac10922a1df1b5795693db77d532ffbc.exe

  • Size

    206KB

  • MD5

    21be39a453a79ef484ce58b901ba8386

  • SHA1

    2c38dc7aa29fa9e06902d964022495e1af9ab175

  • SHA256

    42732ad450696b816913753fa9f53b52ac10922a1df1b5795693db77d532ffbc

  • SHA512

    bd58cb596f6df702a955c3f8df5cff59417ae30560c3faed53edd010ec3ea6b464b795eca8e035a7b5ea94a2bd0158e5f8e555c666e515ed1315ac71022858f0

  • SSDEEP

    3072:ZuMSJVSEN/NDrNRJ/g8a90dcXyl/74OBnd+pWt0vkOTnYqTVMIgbPrRfSZbGV:ZuMcSElNnjJ3TcXyh74OTa40Mkn7VFI

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours,Tox - 1123AA3360A5AFB77D928C4CD99E9EF66EF28FCEEE1F840B93456FD9CE562B7F92204B0D8904 please download - https://tox.chat/download.html or http://pexdatax.com/ write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

https://tox.chat/download.html

http://pexdatax.com/

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Detects win.dharma. 2 IoCs
  • Identifies DHARMA ransomware 18 IoCs
  • Renames multiple (496) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\42732ad450696b816913753fa9f53b52ac10922a1df1b5795693db77d532ffbc.exe
    "C:\Users\Admin\AppData\Local\Temp\42732ad450696b816913753fa9f53b52ac10922a1df1b5795693db77d532ffbc.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3904
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:6100
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:6640
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:6260
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:7848
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:7128
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:1228
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:9136
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:7112

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-DA2ED87D.[[email protected]].ROGER
            Filesize

            2.9MB

            MD5

            f5d181c4f3571a5b47637102d9f2d1c7

            SHA1

            907c9517c2ab37803f2438365d2ed41ed956b15a

            SHA256

            e73b9b044872ee0e967e04c16ff7585e5502e75ab71bb4abf968c0d364ecd000

            SHA512

            6b51fef276dbd0b6595f5f13b25261ea2b8d06940c1aeaf02c79656dc15ba10c4518dc892228dd6b6946795afd37b29e0e41c14ec3c249771cb56c048202561a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            186b007713f95635279b848c4bce994a

            SHA1

            e48c73e5ec15917d9a2cc9e9c6a71e1e765e56e5

            SHA256

            46333b8876221af7999401502b9e700b8a6f8c3d0346c452261705a3d6e5d0f7

            SHA512

            1b07caadf9d35d4f687c48442f7ddd5ab95d530f75fe952b6e2e8211ab201a281f9d9fc94f5e012e8a20ec61fa7abe265252c86c87f6c0f3d8ebc81368a12905

            Download Submit

          • memory/4420-1-0x0000000003170000-0x0000000003270000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4420-2-0x0000000003120000-0x0000000003139000-memory.dmp

            Filesize

            100KB

            Download

          • memory/4420-1170-0x0000000000400000-0x0000000002FC0000-memory.dmp

            Filesize

            43.8MB

            Download

          • memory/4420-14416-0x0000000000400000-0x0000000002FC0000-memory.dmp

            Filesize

            43.8MB

            Download

          • memory/4420-23778-0x0000000003120000-0x0000000003139000-memory.dmp

            Filesize

            100KB

            Download

          • memory/4420-23779-0x0000000003170000-0x0000000003270000-memory.dmp

            Filesize

            1024KB

            Download