Overview

overview

10

Static

static

3

b565c8e1e8...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe

  • Size

    92KB

  • MD5

    0c4cbf1cb8e5065f8df8c8adc4f80e84

  • SHA1

    fe9fa42f2cd4e261783b14b6cf9a28b51162590d

  • SHA256

    b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039

  • SHA512

    c6e5215ae24f65b18235edfa5295c5dca94f4bba7357b74aa376a4f80efb55f1319b7b9a0e8ecca6788b286faf999a3dbc84a6d1c9f165238f721e5fff50e329

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4Azg43jW0nLLJbiO3YhP1SKiRgQ:Qw+asqN5aW/hLm2jW0nnJbL3And

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email yourfiles1@tutanota.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: yourfiles1@cock.li Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

yourfiles1@tutanota.com

yourfiles1@cock.li

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (501) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
    "C:\Users\Admin\AppData\Local\Temp\b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:7988
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4436
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:9120
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:8876
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:8232
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:6800
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:5540
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3160

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          1
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-C652CEF5.[yourfiles1@tutanota.com].FLYU
            Filesize

            2.9MB

            MD5

            40dcdaf3ed6e51c439a27126cf5c40e5

            SHA1

            0091bf762b1d2629f3c4727c8c544955c8b81b5e

            SHA256

            7082c34f996d1d2e46b130881caae1ff3160077e7e4c0c041d891f92c476ba5a

            SHA512

            40e93c0fbcd00052a11e32bfbc478b2dd54c1aaa061e0c172f682637b6d3b35e078c348460a565b96a4001b45deaf62241329d624d4b134f4189932535d6dffa

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            a442a1a2405371b00bef37699944afe0

            SHA1

            ebce796335bf7429b0fe5bc3ed348e8c3322b948

            SHA256

            e88b1bd19ff5e894234bc3a22503964f1a7d8e4ea2ced11d98038fe0993adae1

            SHA512

            5540565c61356910207ba4f0f193e342f3fd0058a89f41de9b0baf46df8f54859109a1d71148359892da770ee7772f4a46be7d865fe5375a9d0ce327bb736ab7

            Download Submit