Overview

overview

10

Static

static

10

2024-06-11...ma.exe

windows7-x64

10

2024-06-11...ma.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-11_e3840d3ae2255fe5a8414f0da16f877c_crysis_dharma.exe

  • Size

    92KB

  • MD5

    e3840d3ae2255fe5a8414f0da16f877c

  • SHA1

    2fa8674341a726bccbc990346f142577d915f55b

  • SHA256

    9959ff057928c12048a361533d4c37449336cc6be2396d81e1f9c0976f969075

  • SHA512

    633b91b8f49b2901c8bbfb064f92952c7b81f1c2882e6d00f374eabe65aa089800ce347c339f965d38cc1ad845b210a6f3e5efa0d54bc56b00c0c43b9a420b52

  • SSDEEP

    1536:GBwl+KXpsqN5vlwWYyhZ9S4AMx1QvXxrCA4/6yqdZ7wWEf:ww+asqN5aW/hS8kbyqdREf

Score
10/10
dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 3A4A29D5 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (522) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-11_e3840d3ae2255fe5a8414f0da16f877c_crysis_dharma.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-11_e3840d3ae2255fe5a8414f0da16f877c_crysis_dharma.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:1116
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:6304
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:9468
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:10120
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:8104
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:3212
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:8920
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5548

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-3A4A29D5.[[email protected]].pgp
            Filesize

            2.7MB

            MD5

            0fa028a483ffc29bb08a8b7eb4468dc5

            SHA1

            46ced9acf27cfbf13579c29feafb4c65b5534e9c

            SHA256

            01238d825d802ef64e6374fe52e552c1c7ce99223ba53f54e8133d303816f405

            SHA512

            48fb685df1e1ab23588e0e8f2a3683616cd4aadd47af2128da8e4fee4af846a7e980638c3485925ac53ee7a990be22b7eaecc304ab9bb76acad555394135710c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            13KB

            MD5

            3b402e914822aff190caf1f2591f9744

            SHA1

            3f430dabe917848c087d1ec59a5cd99321bd7f0d

            SHA256

            7063ce7eda44427a7fe16fd221efba831353332be94c20003e0ffd27fbc4e83a

            SHA512

            64dc7676ded31b47d9b4e78d2ad75ce71857b5d52860789ab043dfbf5a4bd375188546147f451d5bd12bd2b05b38d488149bb1dcc084b871b348ef15dd9e3e4b

            Download Submit