Overview

overview

10

Static

static

3

001.exe

windows7-x64

10

002.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.rar

  • Size

    583KB

  • Sample

    241105-syk1ssvanq

  • MD5

    1cf7fced7dad510f4176f8951989b292

  • SHA1

    65c93d2a9f81ace650c49b5f4d4074b65cf8c3f7

  • SHA256

    e0cea864934569ac6a26891342810b3174d3bf740b1b64544373a29256ce9a0a

  • SHA512

    dd93b145f4af73bb8cbffde88427f06f0af5d1b0455c8376fcd0985a07b3b966a016f28edb52db432e2dd4a85d0efe46a3fa5d0255d6f39c98acf77fe92f1319

  • SSDEEP

    12288:tMTyPRrLQjpZfqeDashYYN9wCuGXZdUz9VSs87yDNMZnP0GoPBb:t1NwSeJyYnuGXZdU6BODC1P0ppb

Score
10/10
dharmacredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL [email protected] IN THE LETTER WRITE YOUR ID, YOUR ID 328B9522 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: [email protected] YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL [email protected] IN THE LETTER WRITE YOUR ID, YOUR ID 256A6E7B IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: [email protected] YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      001

    • Size

      626KB

    • MD5

      cced409e95d6c2e44823381df3880d96

    • SHA1

      724383fc11cca24495a5ee69737399520eb70483

    • SHA256

      c435eb8911a3657f56dd5508c69f0c62120bd1af8d7a980ad840209c83828066

    • SHA512

      42d1ddd7dbc7e1f8bd4aa639086eca6211e5cb0d2d2b309fe30e9f8ff687af8544c938ce019fbf690ea5b04f29e2802de0c5db7a9c493f4b9408ee638dd3ec33

    • SSDEEP

      6144:U76K/3FjtoELNzbxL9ts4KxYbYToO3AOGq8aDZ8eGiCjFZ1efKHPQfbmg6F5frbs:U76K/3FvbftsebYTPMuZ1CfYfbmL3

    Score
    10/10
    dharmacredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (311) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      002

    • Size

      560KB

    • MD5

      b0f46ff6a22ba47e9847c60bf231d16d

    • SHA1

      d6b9ef6687fda4bafcd335784fff4cacd96d9dde

    • SHA256

      bf43eafd9365c34862e9ff41857bfacb2649e37c405bec4dae099374146cda87

    • SHA512

      ba6c9845d951eccea8b39958e889a74697f0acb2080c70a715035ae39561d6c1abc8e4165b5d7a8f7b7d367dd9e1b0c6892981c45a062880c9aacbcee70b34b4

    • SSDEEP

      12288:tgwkjwm+jcxiEK6t4ttBxr0MRLC24RUe3Q1MjXStf:ewW0cDvXaLCJHQ1MStf

    Score
    10/10
    dharmacredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (314) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks