dharma

General

Target

.
Size

146KB
Sample

240405-x27q7abh2t
MD5

9d67313f4c60b09be819774a1ec769b5
SHA1

345f77cf37475defebf39f898d2b75a846dc7653
SHA256

9cf703e505b176f1b8a727b00794c672b1c4b8131b577ce75af5338e00ae0195
SHA512

20af059e6b5ec2faac09397e4837389bf0946d05546e387d7346b843ac2b81131097f3f98e7f04ae94e84881307279be499e6da4357ff7d66729c4bd79a6dae7
SSDEEP

1536:o6kud8LFVMUK4DgnVR4DBllKoVkL30vD9329s4DCHhqiS:BkPLFoVsllXmxUHhqiS

Score

10^/10

Malware Config

Targets

- Target
  
  .
- Size
  
  146KB
- MD5
  
  9d67313f4c60b09be819774a1ec769b5
- SHA1
  
  345f77cf37475defebf39f898d2b75a846dc7653
- SHA256
  
  9cf703e505b176f1b8a727b00794c672b1c4b8131b577ce75af5338e00ae0195
- SHA512
  
  20af059e6b5ec2faac09397e4837389bf0946d05546e387d7346b843ac2b81131097f3f98e7f04ae94e84881307279be499e6da4357ff7d66729c4bd79a6dae7
- SSDEEP
  
  1536:o6kud8LFVMUK4DgnVR4DBllKoVkL30vD9329s4DCHhqiS:BkPLFoVsllXmxUHhqiS
Score

10^/10

dharma bootkit discovery evasion persistence ransomware spyware stealer trojan
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Suspicious use of NtCreateProcessExOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (188) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- Uses Session Manager for persistence
  Creates Session Manager registry key to run executable early in system boot.
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1