Extracted

• • Target

    ja.salivan.exe

  • Size

    92KB

  • MD5

    f25b8c72c61c734bbf4ee7cbffda3d48

  • SHA1

    5b725dbebfd73c95067cc40c904dd981a5f1ce22

  • SHA256

    ce371f9f9c2446ca5d84e5df4bd8562247c198310b81e577fa4afc2398795438

  • SHA512

    e63183995e9e3950790266f71130fcabe3d4e9d7e270b1f72116323e16f31a6f51a4d96d268dbc1fdc3ad2375ad20e7dc0b1572a5a7bedb54209afc3dcb7d8d8

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4A5qERXCE5uodtYr2I41:Qw+asqN5aW/hLn9Ry6bC2f1

  Score

  10^/10

  dharmacredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (321) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Drops file in System32 directory

  behavioral1behavioral2