Overview

overview

10

Static

static

3

Ransomware...us.exe

windows7-x64

10

Ransomware...us.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware CoronaVirus.exe

  • Size

    1.0MB

  • MD5

    055d1462f66a350d9886542d4d79bc2b

  • SHA1

    f1086d2f667d807dbb1aa362a7a809ea119f2565

  • SHA256

    dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

  • SHA512

    2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

  • SSDEEP

    24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Score
10/10
dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 5A75B46B In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (312) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware CoronaVirus.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware CoronaVirus.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2116
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
        PID:2476
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:2156
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:3404
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          2⤵
            PID:4932
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              3⤵
                PID:4764
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:4708
            • C:\Windows\System32\mshta.exe
              "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
              2⤵
              • Modifies Internet Explorer settings
              PID:2756
            • C:\Windows\System32\mshta.exe
              "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
              2⤵
              • Modifies Internet Explorer settings
              PID:1612
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe"
            1⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c69758,0x7fef6c69768,0x7fef6c69778
              2⤵
                PID:2456
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1224,i,450526530726866645,11371109033129987763,131072 /prefetch:2
                2⤵
                  PID:2824
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1224,i,450526530726866645,11371109033129987763,131072 /prefetch:8
                  2⤵
                    PID:2716
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1224,i,450526530726866645,11371109033129987763,131072 /prefetch:8
                    2⤵
                      PID:2684
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2336 --field-trial-handle=1224,i,450526530726866645,11371109033129987763,131072 /prefetch:1
                      2⤵
                        PID:2760
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2352 --field-trial-handle=1224,i,450526530726866645,11371109033129987763,131072 /prefetch:1
                        2⤵
                          PID:2836
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1224,i,450526530726866645,11371109033129987763,131072 /prefetch:2
                          2⤵
                            PID:1688
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1436 --field-trial-handle=1224,i,450526530726866645,11371109033129987763,131072 /prefetch:1
                            2⤵
                              PID:1720
                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                            1⤵
                              PID:2336
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3444

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id-5A75B46B.[[email protected]].ncov
                              Filesize

                              6.3MB

                              MD5

                              f70bf575eaab5f725d0652bbb056915d

                              SHA1

                              e690a79c12bfe2bd39212f5076b18b2093177efe

                              SHA256

                              b10d5d9b0843061d15e4412d555b19043137a094aea459f9ab1aa75b49f4e897

                              SHA512

                              80e2776d0476068b8692f92b07cacbbea52bd79ed67d832e5da6b32d28ca09c2897918458ae12b184d026ddfb6c70a660d113d6242fe5fef722ff13cc158e3bb

                              Download Submit

                            • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                              Filesize

                              13KB

                              MD5

                              4ec5c5b3cc664d89f18fccd39e66f992

                              SHA1

                              2df253840cc00c10cc9b8c14b7e79ee44eec9d9f

                              SHA256

                              3526cf1a4adb257306beac2506b500264d516cbe0ab5eb86503426e3de960059

                              SHA512

                              515952b5c71a85030c9916b4f87702878c4fe4af8d32df8cc74137a7ee49103c30fcc562a0e65779b59013519365b817531b1cbcafb2b0f6243e229d0bfb34a4

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2fae3a01-b5f1-4b47-a461-c1728b2a2202.tmp
                              Filesize

                              140KB

                              MD5

                              7ad6c753412f98a66a644a12d30c099c

                              SHA1

                              052c25be6b84e94c3164c0e907c26e404f0fb31b

                              SHA256

                              c285780cb1cf366906e479e8f576378cfcb0d264549ee518700e8d941c773a3b

                              SHA512

                              9e66e7b6ff7386a54e349f8ba425c4778a6b8a0b45fd12aaef9155e3a5ab6603377972f256fe02b0c7a20baf93d895cc78be8c02b440d2074af4367be57effe6

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
                              Filesize

                              4.8MB

                              MD5

                              d66060897222aa61f0b28a5162b50031

                              SHA1

                              cea8c955ec316b51cc582ae1c101c5ad77e003ad

                              SHA256

                              9dc57d77caa1145f331c1f92b4bed5c21a47807ec86b00f7b54599f3a7b20308

                              SHA512

                              88515cd9e4acfbec2cc1e842703aedc61b3a16257fce0dac7b9d99335d9f9f1adb763a2c5fb211d3a0aa5ff824cd9dfaace6275bfe6ac5d2d5f97af5c96e33ec

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                              Filesize

                              264KB

                              MD5

                              f50f89a0a91564d0b8a211f8921aa7de

                              SHA1

                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                              SHA256

                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                              SHA512

                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007
                              Filesize

                              90B

                              MD5

                              b6d5d86412551e2d21c97af6f00d20c3

                              SHA1

                              543302ae0c758954e222399987bb5e364be89029

                              SHA256

                              e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191

                              SHA512

                              5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
                              Filesize

                              16B

                              MD5

                              18e723571b00fb1694a3bad6c78e4054

                              SHA1

                              afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                              SHA256

                              8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                              SHA512

                              43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
                              Filesize

                              250B

                              MD5

                              5b0a82a2e2128a0ea25ebdb2e8450a81

                              SHA1

                              9680891d1ad4860c480b1cd8c71341764e918970

                              SHA256

                              c120ef4814c3792623564a31ba241408be74216587743bc4c1f0f06810903879

                              SHA512

                              5e8942c0113f83bc625c2d4b49d79fb262c710c9d2a84e574f621b885ced1653d9ec99da0170b8426f202641b6ea703eddb01d1fb02b908971fb62f4849b4b71

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007
                              Filesize

                              250B

                              MD5

                              03d881fc5a4ab4013bd1b30988abb179

                              SHA1

                              9ad861569715575d7b676e5683b14dd3cffec304

                              SHA256

                              5da7b30f55f920166ad821f532fb95bd11546bf63a228fc41357aa122fcaf5e8

                              SHA512

                              29ab8ac2c642a83086266f88ffde8d71c96cd0d98812fac526e0a0adc58d8bc7f99760ad19a71cc38c3ef5edb9ab9d642ef6b665bf4ce336260b0171411e26f6

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007
                              Filesize

                              98B

                              MD5

                              098134f5ed5cc8b444c7606473de284b

                              SHA1

                              83bbea288653109a6e67b4a70c03e922f915b911

                              SHA256

                              f74a527ea3a8e245b6232101f5a39933b0ebb8cfedd8e0a3ff03bf3e6670cea1

                              SHA512

                              d652087c0eb97055c4a5db16171b1f9edc1fccf125210692efbb2bb6a31596ea0ad6980322d29ebcd6ad9968d952aded39ad8dcf871d9ae0c8bc3561e2969b34

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
                              Filesize

                              256KB

                              MD5

                              7368469776be0a09161e11002451d6f4

                              SHA1

                              1de9aea2f8d2acaff678d7c8360145f472fbed68

                              SHA256

                              9fd8e268dcc84a4c471db0d20c646980e1cfe3f3702433866c5ca0535ed1fdf8

                              SHA512

                              1314d7174e131c00050d07ad99c7e502beb7fdb65eb0671d50ec5e01e3aee860a777342cd9f1ed436ef518f56d3e2941a3eec7a3f55da01bcf8f2b3d8330addb

                              Download Submit

                            • \??\pipe\crashpad_2004_PWHWFJWFLBBAUJRA
                              MD5

                              d41d8cd98f00b204e9800998ecf8427e

                              SHA1

                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                              SHA256

                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                              SHA512

                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              Download Submit

                            • memory/2116-49-0x000000000ACA0000-0x000000000ACD4000-memory.dmp

                              Filesize

                              208KB

                              Download

                            • memory/2116-17954-0x000000000ACA0000-0x000000000ACD4000-memory.dmp

                              Filesize

                              208KB

                              Download

                            • memory/2116-3495-0x0000000000400000-0x000000000056F000-memory.dmp

                              Filesize

                              1.4MB

                              Download

                            • memory/2116-50-0x0000000000400000-0x000000000056F000-memory.dmp

                              Filesize

                              1.4MB

                              Download

                            • memory/2116-0-0x0000000000400000-0x000000000056F000-memory.dmp

                              Filesize

                              1.4MB

                              Download

                            • memory/2756-20470-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

                              Filesize

                              64KB

                              Download