Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 15:17

General

  • Target

    54a6cde2a40da13331d3d5715878155697c5f5d794a457684443b276cef9fc18N.exe

  • Size

    92KB

  • MD5

    bbb38219ae8cd8baaea964c647be77a0

  • SHA1

    19c272d0ec29a1356e74e5e29edfdb1076e8040e

  • SHA256

    54a6cde2a40da13331d3d5715878155697c5f5d794a457684443b276cef9fc18

  • SHA512

    2eceea83f700ce475195e5c5ae65f3ca4cdf0886954b41bb92591aee942a5c6f0edd812f562953f7d3b27d569fc5f1f5c9d2d2ecfe8fc124019b3c37de7aae10

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4A0Lia3Z5m+O/NW1PrWaSe5pa:Qw+asqN5aW/hLxYZc+O/NGqH6

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL [email protected] IN THE LETTER WRITE YOUR ID, YOUR ID 24AD10E2 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: [email protected] YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (512) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\54a6cde2a40da13331d3d5715878155697c5f5d794a457684443b276cef9fc18N.exe
    "C:\Users\Admin\AppData\Local\Temp\54a6cde2a40da13331d3d5715878155697c5f5d794a457684443b276cef9fc18N.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:1820
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:5744
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:8704
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:8896
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1780
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:7204
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:7788
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5952

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-24AD10E2.[[email protected]].MGS

            Filesize

            2.7MB

            MD5

            07bcea143e60d0428593b1ee23ebcdb9

            SHA1

            b7480f35a8bbfc49584af1223a21aa0e3dccc388

            SHA256

            43e5c35a0d52f4b267d1fdf40b55ffde10391a747ffadb2ebc681e2f2d6e4d2d

            SHA512

            3d25afba549bf44ce49ffa0141d49d5d52768d8a69ad05d5477b1573f7af7b976db64c547dd6d3418ad87b242ec1215a9e12d05d9612aef0521c008757c396a4

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

            Filesize

            13KB

            MD5

            fa2f8356e9155c5da439c481741242b0

            SHA1

            340b6772c7a194d3b2aecc8cbde341c513d73f4e

            SHA256

            c85f8bba9b6546cfd2bd01d98b49aebf4249528fead1eb2e8ef2c33481194403

            SHA512

            555ab96a945c73c351cc2e4209d83d977ab9fc2879d6b5a1b75ee282ffd0484a345706cffa93fb334a18d698e54fe2692bd9c8e3f1e2cde7b6dad88d0b19b77d