General
-
Target
AbuseSir.zip
-
Size
533KB
-
Sample
241020-fs4vha1bmf
-
MD5
89356909dd03f12c8c40b25892ab513b
-
SHA1
bffcf4a42461392d0b27d2e8e3ac65006df2b9c2
-
SHA256
580e53f03e5e404571d21dab5aa03d3a51ca1b7d64433acd2b59e66d428c4347
-
SHA512
b01a06d73bba2c34ed763350d4a763a345bc02439e7da709394446bf4c5b9732b0e4205c250321c18a5ef17ee35669c3b6c4bb54ba36f2ed4396cd80fdcb7bf9
-
SSDEEP
12288:UeE0t09aEHHFJySS4ii2biK71J0oHH/up9:UeEorQvySStuK7UoHH/q9
Static task
static1
Behavioral task
behavioral1
Sample
AbuseSir™.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AbuseSir™.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Targets
-
-
Target
AbuseSir™.exe
-
Size
1.0MB
-
MD5
055d1462f66a350d9886542d4d79bc2b
-
SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565
-
SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
-
SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
SSDEEP
24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (318) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1