Overview

overview

10

Static

static

1

wallpaper.jpg

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wallpaper.jpg

  • Size

    11KB

  • Sample

    240408-nxdg4sbf8v

  • MD5

    d246e2938a820cde7586bed0f346900c

  • SHA1

    c03acdafeee855fdeca8e06b8abc712a1e85b505

  • SHA256

    94e5de9b6c0b0f3376df8563b7e70df7392a452513082300da8b113992cde728

  • SHA512

    0a574f6c84aee25d71479eed5c78d06a12d98f558628a311b08fb1d17609f12403f7d94d2d6d2179faf6252c0e96537a9bb88cae420282d6d211a1e821165d27

  • SSDEEP

    192:khdfAW3/1AMExkhiiNEsD4SbAo0Y2dRhEN8hTA2zVXIDNgPx54mjmx7xDsVQzWB+:CfAmvMkhfNE+PbAox2JEWVXIDmPP4p7d

Score
10/10
dharmaevasionpersistenceransomwarespywarestealertrojan

Malware Config

Targets

    • Target

      wallpaper.jpg

    • Size

      11KB

    • MD5

      d246e2938a820cde7586bed0f346900c

    • SHA1

      c03acdafeee855fdeca8e06b8abc712a1e85b505

    • SHA256

      94e5de9b6c0b0f3376df8563b7e70df7392a452513082300da8b113992cde728

    • SHA512

      0a574f6c84aee25d71479eed5c78d06a12d98f558628a311b08fb1d17609f12403f7d94d2d6d2179faf6252c0e96537a9bb88cae420282d6d211a1e821165d27

    • SSDEEP

      192:khdfAW3/1AMExkhiiNEsD4SbAo0Y2dRhEN8hTA2zVXIDNgPx54mjmx7xDsVQzWB+:CfAmvMkhfNE+PbAox2JEWVXIDmPP4p7d

    Score
    10/10
    dharmaevasionpersistenceransomwarespywarestealertrojan

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (533) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Sets file execution options in registry

      persistence

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

6
T1112

Impair Defenses

3
T1562

Disable or Modify Tools

2
T1562.001

Disable or Modify System Firewall

1
T1562.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

3
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks