dharma | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

Analysis

max time kernel
7s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CoronaVirus.exe
Size

1.0MB
MD5

055d1462f66a350d9886542d4d79bc2b
SHA1

f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256

dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512

2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
SSDEEP

24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Score

10^/10

dharma defense_evasion execution impact persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2984	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1264	CoronaVirus.exe
1264	CoronaVirus.exe
1264	CoronaVirus.exe
1264	CoronaVirus.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1360	1264	CoronaVirus.exe	87
PID 1264 wrote to memory of 1360	1264	CoronaVirus.exe	87

C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe
"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:1360
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:30716
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-040817F2.[[email protected]].ncov

Filesize
3.2MB

MD5
0720f70a77af8990f9680fb50ae12a18

SHA1
b6b988e490ef245180df10a2fea27d3a5348521f

SHA256
fa25216a42f48329634799f40924bb9af745917f58681f90d244108de285cf69

SHA512
f8a2620feafa401d7dbc6885465a7f3fe90251df1606864a48a3653a6611c69161aa28e88830adf9089011f78e42e27d0d4521581de59b55ee1a30ab8a9c4a26

Download Submit
memory/1264-0-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1264-1-0x000000000ADC0000-0x000000000ADF4000-memory.dmp

Filesize
208KB

Download
memory/1264-3-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download