Overview

overview

10

Static

static

10

2024-04-10...ma.exe

windows7-x64

10

2024-04-10...ma.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe

  • Size

    92KB

  • MD5

    5b3f40d956be53a1e5acbb36124ed577

  • SHA1

    bd077f5467d840e3e782841b687c61512b96bc47

  • SHA256

    e2636c32991e3e8b061d88daf3e769a6263d9a02ee27eae9a2e78ccf3ef1fec5

  • SHA512

    b6ab8ccbc8fdbef4dff66f1062e4ea37da1f76421e306b4cf7a43f58fe9e520bd8ba29363e8897b55a98facf42a52215386506aeebf8e93551e00c96edee3e78

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4Ab6FDs1AtY4cvCPu5KLp+f87:Qw+asqN5aW/hL96FDs1ADPiipc87

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
HWABAG! All your files have been encrypted due you being pure NAS coal. If you want to restore them, post a thread on this website: https://soyjak.party/raid/ Write this ID in the subject of your post: 0C99FD02 In case of no answer in 24 hours contact us at this e-mail: cobson@hwabag.us You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

cobson@hwabag.us

URLs

https://soyjak.party/raid/

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (496) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-10_5b3f40d956be53a1e5acbb36124ed577_crysis_dharma.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:1076
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4588
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:6096
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:4924
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Blocklisted process makes network request
          PID:6556
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Blocklisted process makes network request
          PID:5692
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:776

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      1
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Inhibit System Recovery

      2
      T1490

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-0C99FD02.[cobson@hwabag.us].HWABAG
        Filesize

        2.9MB

        MD5

        77524f9839b460a686ee1c818f076c84

        SHA1

        22611c6ae2c94a799d95063d013a927275aca352

        SHA256

        f9915734559d95e83793dd233d8330c98349226222ac8cd572908b4b86c3e298

        SHA512

        6a01a5ed63e361fdc87b34afee84bfec016ccdfa7886dafaeee8e84cfaea053316037b15f38238a66d1525bd7216829e41426a959d0609564448076b80a68e73

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
        Filesize

        1KB

        MD5

        063736d1569164c37bae852beae60487

        SHA1

        577a9c940013a63cbd820c113a124b5b67d30a6c

        SHA256

        efa1444be7c95125fd8a9439bfbaa9a131cb17c9105ff5e2ed92de6b52af2e2f

        SHA512

        dfabd502c67d2a20313169d459fd43257079023ebcf70704f1e919de95ae07fbaa9c430dfd4ae9d30c1cd9333ed280fc4544a9e2421768e5d629e5caf51f61df

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
        Filesize

        724B

        MD5

        8202a1cd02e7d69597995cabbe881a12

        SHA1

        8858d9d934b7aa9330ee73de6c476acf19929ff6

        SHA256

        58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

        SHA512

        97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
        Filesize

        471B

        MD5

        a68f27f923cf5167d6942e4b2084fbd2

        SHA1

        ec28890ecee3820d30d068caffc020a5653543c7

        SHA256

        77e8a86261956ee2820c7559db145194087a144806cab742ed26fbdffbd06727

        SHA512

        46a1bc694ea8c8265737de5cea4a21b20728566a536adecedac7faf3f22b937585a9846b1967be66109e1a3669f2549ec82a8627e31c92316c9d774f196f02f7

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
        Filesize

        410B

        MD5

        08ded4cefea4fa6ab84a22d98812a446

        SHA1

        a879b2d05311633f5ecdc5a6e6fba7069534dcfc

        SHA256

        fefea2c27dd4a752bc8ee62ce0530375d2235a74dcd364a19ee34124dcdc2366

        SHA512

        12a6bc1ac8a69d3460597b6e5ae034872e421d24a7ab34f51219d0d9e56873cf30cdf297c6fe7d417a89e4f1e7afb0f1dbaa18ce8154b6fe3682d82c5fb1da39

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
        Filesize

        392B

        MD5

        fe42654120c6ec0a80c8545259ff0745

        SHA1

        ab26dc15b4e773794fde8ea8f65174e1b8e0246b

        SHA256

        1b2c0043ee985418d15b7d69509cce2a9b7b3d5cb606942fae7bc851c185a795

        SHA512

        d06161c6e65a2346bc0f5da2a4565554b36de36af2118928d9c1e6dd88d6dc6e9b184197e828e113c7d680777c60b238a8ff3f28612e1c5f2e0a17bb264f5fcb

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
        Filesize

        412B

        MD5

        ea26f31f5e761650f585863e90d8e9d4

        SHA1

        eec3def86b680f5ffd7c90ed63efbaee7111e724

        SHA256

        d9ef6a1f5f4498fd6fe78cb117a67f99a0afe1232bb0d0167b6a945e5d2bfca1

        SHA512

        35bc1f7b3ac6e22fb473bd7073c55b964469d64edcbfcb95ba44dd30a5e8fe4ea6fbf4d73c510085a59aaf765e243c71d7419e43fa90d2ac0bc0ea020fb42975

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
        Filesize

        4KB

        MD5

        7609170e9177fe54b7b3626fc10b2c23

        SHA1

        861b4d134af72ae828f9833ff1242c8181d2e5c5

        SHA256

        f10122832c8a2ee1f06780dbb52161a91f06b85d3f314986c68f5c71ab3538da

        SHA512

        5856a35c1fb125bfbc3f18bbe5348fcc17fc8f55c355a0d77c324a68a832516969bdd3eb6db1f3b7a18b928fdb84ecf1cc4e6c71b5e87caff7abc7a76f63309f

        Download Submit