Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
11-06-2024 08:34
General
-
Target
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe
-
Size
1.9MB
-
MD5
f09a781eeb97acf68c8c1783e76c29e6
-
SHA1
ec2b7eebfcbf263424ae194817060eac44c380c7
-
SHA256
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64
-
SHA512
972fc4759d344c3eab157fe8bb345596592895ab9d27546961a93047142e8236dd876f3449a9f60dd5eb93a54035dcd3d7c8d70d468e3233341bfa4d674cfa64
-
SSDEEP
49152:jL7kITp6hTJEfHdQ2+Sd3KmkZt1EOS09VE8zbRfc7id4oPg:YITpmafy2+S5KmkZt1EOSP8zdfc7i5P
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies DHARMA ransomware 8 IoCs
-
Renames multiple (521) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
UPX dump on OEP (original entry point) 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe"C:\Users\Admin\AppData\Local\Temp\cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-581A6791.[[email protected] ].wikiFilesize
2.7MB
MD589e7f1b4ee1b03ab4137252fa8b23b32
SHA108e3af74d04f76ad8d0b3d66820033a87784360b
SHA2561ce4bcab9e93f37d9d51423afec443affd6da5a5251259b9b0e7c517f4f89d6a
SHA512450e88f7b24530b80247b7f64da7ead144bb58cb1ac6ff18a44b3e26fa61439ff0c16a0b07444b04b297617fbe0a9aedfe65d1b6be50a9f2f2b877c0ef5835d3
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD5b549ccaa75e44b565b0be74509b6963d
SHA1dd501e80bc08b12f4c45c4b15e4452ce4156fa2a
SHA256e93fb981131459e430369fdbb43ccff8970bf634f50b826dfe5fcf8d46158aff
SHA512a872673a574687535fa3a2ca1f886299e6b43c9c0aba6524ee0ee94a29352070d9168df6134b91770a20f9d4039596ae6604576d1bce7a1f4fb466396201bf17
-
memory/1096-0-0x0000000000400000-0x00000000005E6000-memory.dmpFilesize
1.9MB
-
memory/1096-1-0x0000000000400000-0x00000000005E6000-memory.dmpFilesize
1.9MB
-
memory/1096-2-0x0000000003600000-0x0000000003634000-memory.dmpFilesize
208KB
-
memory/1096-4-0x0000000000400000-0x00000000005E6000-memory.dmpFilesize
1.9MB
-
memory/1096-10351-0x0000000000400000-0x00000000005E6000-memory.dmpFilesize
1.9MB
-
memory/1096-25001-0x0000000003600000-0x0000000003634000-memory.dmpFilesize
208KB