dharma

General

Target

.
Size

147KB
Sample

240614-q9wwbsxcqk
MD5

478194cadb68b49c1c73f3d6f195c6e7
SHA1

3a994e1252efed326fc69233011ea6e9a4d6c424
SHA256

917cfc3dc5b41d7c66b88f5bb722ea66ced7c453bf7730d89e665a21c19c100a
SHA512

0a594f3f3eb26fbd3705b0303004b016a378c1487ef0462d82fb40922ab9da81bd26b66be3123aeb870dc017e96d7a28bebc22e2f7b19ec3b64aa38f276a8499
SSDEEP

1536:o4k6HxYfrVCCRldR4DWll6Q9Ut30vD932ks4DWHhqiS:jkRf5RDpllXawsHhqiS

Score

10^/10

Malware Config

Targets

- Target
  
  .
- Size
  
  147KB
- MD5
  
  478194cadb68b49c1c73f3d6f195c6e7
- SHA1
  
  3a994e1252efed326fc69233011ea6e9a4d6c424
- SHA256
  
  917cfc3dc5b41d7c66b88f5bb722ea66ced7c453bf7730d89e665a21c19c100a
- SHA512
  
  0a594f3f3eb26fbd3705b0303004b016a378c1487ef0462d82fb40922ab9da81bd26b66be3123aeb870dc017e96d7a28bebc22e2f7b19ec3b64aa38f276a8499
- SSDEEP
  
  1536:o4k6HxYfrVCCRldR4DWll6Q9Ut30vD932ks4DWHhqiS:jkRf5RDpllXawsHhqiS
Score

10^/10

dharma bootkit defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (771) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Modifies RDP port number used by Windows
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1