dharma

General

Target

Mamba
Size

144KB
Sample

240504-y9dzhsdd75
MD5

90a3c3b434583638dc94a1e04e2cdce0
SHA1

be67c2962da1d52e438f478d12f7d742569256b7
SHA256

7ae0d31368256c75321032d41332d64cd9687a51f1cee7f7985352bd00d4b932
SHA512

c468ac024c6dad2c78d093ca1bc2a6e821d4d887e9a0fb1d867d9165fac6c4d32d883cddd73af0479f3ff00a6be05f76dc209fa199c351d5b0582c29bf4a81aa
SSDEEP

3072:YJAoEcMBy2XzVuYkPUVMBFSKN+kEIScDQmsc8EsnpXUVwang+7kewnvxQT/jFaYz:U4Qh22n9ddKM2vkm0aWyRv3z9KvZJT33

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

- Target
  
  Mamba
- Size
  
  144KB
- MD5
  
  90a3c3b434583638dc94a1e04e2cdce0
- SHA1
  
  be67c2962da1d52e438f478d12f7d742569256b7
- SHA256
  
  7ae0d31368256c75321032d41332d64cd9687a51f1cee7f7985352bd00d4b932
- SHA512
  
  c468ac024c6dad2c78d093ca1bc2a6e821d4d887e9a0fb1d867d9165fac6c4d32d883cddd73af0479f3ff00a6be05f76dc209fa199c351d5b0582c29bf4a81aa
- SSDEEP
  
  3072:YJAoEcMBy2XzVuYkPUVMBFSKN+kEIScDQmsc8EsnpXUVwang+7kewnvxQT/jFaYz:U4Qh22n9ddKM2vkm0aWyRv3z9KvZJT33
Score

10^/10

dharma wannacry defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan worm
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (518) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1