General

  • Target

    2024-05-16_fb953d1eaea934f718afb7de43b6a91f_crysis_dharma

  • Size

    92KB

  • Sample

    240516-2fbtvabg75

  • MD5

    fb953d1eaea934f718afb7de43b6a91f

  • SHA1

    f30ac814ef19e45119ecff2e64256d3c1b7d1864

  • SHA256

    df7fe80d2ea970965f5eadcba3b981391f969fbd98a804f4ac3364a57a237cf4

  • SHA512

    8c1d6b7e579e84530dcac95b63f07c84c647d531a0f3bdf2646957537f4fda7a5f3d5f01b91fc1f86370ebfe1c7bb4d54e8ee023197264096ca05485609b9dc6

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4AsFjrC+wIVwcbTO8SapkbAnkTfKYk1xZqx60Fm8:Qw+asqN5aW/hLsCQCc5vkjKxCx60Fr

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
We downloaded to our servers and encrypted all your databases and personal information! If you do not write to us within 24 hours, we will start publishing and selling your data on the darknet on hacker sites and offer the information to your competitors email us: hatorihanzo@onionmail.org YOUR ID If you haven't heard back within 24 hours, write to this email: hatorihanzo@tutamail.com IMPORTANT INFORMATION! Keep in mind that once your data appears on our leak site,it could be bought by your competitors at any second, so don't hesitate for a long time.The sooner you pay the ransom, the sooner your company will be safe.. Guarantee:If we don't provide you with a decryptor or delete your data after you pay,no one will pay us in the future. We value our reputation. Guarantee key:To prove that the decryption key exists, we can test the file (not the database and backup) for free. Do not try to decrypt your data using third party software, it may cause permanent data loss. Don't go to recovery companies - they are essentially just middlemen.Decryption of your files with the help of third parties may cause increased price (they add their fee to our) we're the only ones who have the decryption keys.
Emails

hatorihanzo@onionmail.org

hatorihanzo@tutamail.com

Targets

    • Target

      2024-05-16_fb953d1eaea934f718afb7de43b6a91f_crysis_dharma

    • Size

      92KB

    • MD5

      fb953d1eaea934f718afb7de43b6a91f

    • SHA1

      f30ac814ef19e45119ecff2e64256d3c1b7d1864

    • SHA256

      df7fe80d2ea970965f5eadcba3b981391f969fbd98a804f4ac3364a57a237cf4

    • SHA512

      8c1d6b7e579e84530dcac95b63f07c84c647d531a0f3bdf2646957537f4fda7a5f3d5f01b91fc1f86370ebfe1c7bb4d54e8ee023197264096ca05485609b9dc6

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4AsFjrC+wIVwcbTO8SapkbAnkTfKYk1xZqx60Fm8:Qw+asqN5aW/hLsCQCc5vkjKxCx60Fr

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (322) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Tasks