Overview

overview

10

Static

static

10

2024-06-12...ma.exe

windows7-x64

10

2024-06-12...ma.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-12_4d43a8579269bd1563339c4fe94bd1d2_crysis_dharma.exe

  • Size

    92KB

  • MD5

    4d43a8579269bd1563339c4fe94bd1d2

  • SHA1

    e79fae20c3b3b87c21527d5ff21f13e4d05b46c2

  • SHA256

    0c40614a4c3b9eee4e9cf12278c9dcf7ff267dbf0e959e953e1c721330d1e6dc

  • SHA512

    f8dcc1e78267d778ff291d719bdc0a8afdeec82c7ec783f71a91211a378b33b10f05bb5f4438547e1ea03a86972c9a7f8a4fefd7d9cd76c2f15f543869a8f1f7

  • SSDEEP

    1536:GBwl+KXpsqN5vlwWYyhZ9S4ANuO+VEDAYTLiYhq1cbV3VH7M5oIDH:ww+asqN5aW/hS3+VEDr2YhqIV3xM6

Score
10/10
dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (324) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_4d43a8579269bd1563339c4fe94bd1d2_crysis_dharma.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_4d43a8579269bd1563339c4fe94bd1d2_crysis_dharma.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:2148
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2096
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:2188
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1556
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:2580
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:1920
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2692

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
        Filesize

        7KB

        MD5

        0ad74b37f07ebad403405d59e31ccb66

        SHA1

        bcb3e7c7baa39a644c1436bc3fad1f2d2f3e03ab

        SHA256

        af2576213cd00b7de71fa9f21b494b0fd2da8e6140e12d730a99778c401bd71c

        SHA512

        aaf0478a53c2ff247fa0432157c909b65cb3d6227c8c5730fbc755cdc825d9e21c93c9422c6429bb59bc9a1480cb1d7cc1c7d903cf8609161e0c667ee44c0d19

        Download Submit