dharma | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

Analysis

max time kernel
7s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CoronaVirus.exe
Size

1.0MB
MD5

055d1462f66a350d9886542d4d79bc2b
SHA1

f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256

dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512

2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
SSDEEP

24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Score

10^/10

dharma defense_evasion execution impact persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Drops startup file 1 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops file in System32 directory 1 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2984 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

CoronaVirus.exe

pid process

1264 CoronaVirus.exe
1264 CoronaVirus.exe
1264 CoronaVirus.exe
1264 CoronaVirus.exe

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

pid	process
2984	vssadmin.exe

pid	process
1264	CoronaVirus.exe
1264	CoronaVirus.exe
1264	CoronaVirus.exe
1264	CoronaVirus.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

CoronaVirus.exe

description	pid	process	target process
PID 1264 wrote to memory of 1360	1264	CoronaVirus.exe	cmd.exe
PID 1264 wrote to memory of 1360	1264	CoronaVirus.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe
"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:1360

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:30716

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2984

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-040817F2.[[email protected]].ncov
Filesize
3.2MB

MD5
0720f70a77af8990f9680fb50ae12a18

SHA1
b6b988e490ef245180df10a2fea27d3a5348521f

SHA256
fa25216a42f48329634799f40924bb9af745917f58681f90d244108de285cf69

SHA512
f8a2620feafa401d7dbc6885465a7f3fe90251df1606864a48a3653a6611c69161aa28e88830adf9089011f78e42e27d0d4521581de59b55ee1a30ab8a9c4a26

Download Submit
memory/1264-0-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1264-1-0x000000000ADC0000-0x000000000ADF4000-memory.dmp

Filesize
208KB

Download
memory/1264-3-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads