dharma | fc16fdab7b941066c019b8bd0e10e783ffd90f136919a2d030e86e57fa47938e | Triage

Submit
Reports

Overview

overview

Static

static

1

.html

windows10-2004-x64

Sharing

General

Target

.
Size

147KB
Sample

240503-rmnrwaca85
MD5

af35f77e2fd07e35963068ce1b69b98e
SHA1

3dcfc3ea53c485c08fe4b25024d873eb3314e555
SHA256

fc16fdab7b941066c019b8bd0e10e783ffd90f136919a2d030e86e57fa47938e
SHA512

80be7c7f321900d09377fdb8110b30ba010f2fca6e68ea32d2fe5f75c8db39e1439085bc1660183e91f07264742edfe0e2effe2f6c882fd3e94005153b0b4cf9
SSDEEP

1536:o6kud8LonVJoqYarK4DsYNgRyypRMPuNPV5nPztP4FPfaParP8R4DJ2PWTllU0ru:lkPL6WVMllhAY9HhqiS

Score

10^/10

dharma defense_evasion execution impact persistence ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

.html

Resource

win10v2004-20240419-en

dharma defense_evasion execution impact persistence ransomware spyware stealer

windows10-2004-x64

31 signatures

1800 seconds

Malware Config

Targets

- Target
  
  .
- Size
  
  147KB
- MD5
  
  af35f77e2fd07e35963068ce1b69b98e
- SHA1
  
  3dcfc3ea53c485c08fe4b25024d873eb3314e555
- SHA256
  
  fc16fdab7b941066c019b8bd0e10e783ffd90f136919a2d030e86e57fa47938e
- SHA512
  
  80be7c7f321900d09377fdb8110b30ba010f2fca6e68ea32d2fe5f75c8db39e1439085bc1660183e91f07264742edfe0e2effe2f6c882fd3e94005153b0b4cf9
- SSDEEP
  
  1536:o6kud8LonVJoqYarK4DsYNgRyypRMPuNPV5nPztP4FPfaParP8R4DJ2PWTllU0ru:lkPL6WVMllhAY9HhqiS
Score

10^/10

dharma defense_evasion execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (521) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Inhibit System Recovery

Resource Development

Reconnaissance

Tasks

static1

behavioral1

dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy