Analysis

  • max time kernel
    1199s
  • max time network
    844s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-11-2024 15:32

General

  • Target

    001.exe

  • Size

    626KB

  • MD5

    cced409e95d6c2e44823381df3880d96

  • SHA1

    724383fc11cca24495a5ee69737399520eb70483

  • SHA256

    c435eb8911a3657f56dd5508c69f0c62120bd1af8d7a980ad840209c83828066

  • SHA512

    42d1ddd7dbc7e1f8bd4aa639086eca6211e5cb0d2d2b309fe30e9f8ff687af8544c938ce019fbf690ea5b04f29e2802de0c5db7a9c493f4b9408ee638dd3ec33

  • SSDEEP

    6144:U76K/3FjtoELNzbxL9ts4KxYbYToO3AOGq8aDZ8eGiCjFZ1efKHPQfbmg6F5frbs:U76K/3FvbftsebYTPMuZ1CfYfbmL3

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL 3442516480@qq.com IN THE LETTER WRITE YOUR ID, YOUR ID 328B9522 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: 1169309366@qq.com YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

3442516480@qq.com

1169309366@qq.com

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Dharma family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (311) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\001.exe
    "C:\Users\Admin\AppData\Local\Temp\001.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\AppData\Local\Temp\001.exe
      C:\Users\Admin\AppData\Local\Temp\001.exe
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          4⤵
            PID:2588
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1824
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1992
          • C:\Windows\system32\mode.com
            mode con cp select=1251
            4⤵
              PID:3140
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:3832
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            PID:408
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            3⤵
            • Modifies Internet Explorer settings
            PID:2880
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1900

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-328B9522.[3442516480@qq.com].pdf

        Filesize

        23.5MB

        MD5

        71f8ddd36b1146b4a93836033cab3992

        SHA1

        3ab7904cb2d1aa712c387a8910325bb55c2d5a19

        SHA256

        3422e9f317ea83f1f4df5bdad5bde6fb4c1e4dc3c27c50b9d3bc82f695298aec

        SHA512

        c4be62af02e3d65b2cddd65edfd92229de9c200687acfbc06fb1715ba9b0c2b03bb3018a30012438a5cfa2e5e6dc11fbfad48b3a40fc599540cefa44ecc7ef83

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

        Filesize

        13KB

        MD5

        ca56c4073ea614f2896523670a46b513

        SHA1

        61081f2c7e4d356579f4d1168e78ebae286e798d

        SHA256

        82f1ca82ba89e239340725b8a010e7b3668c539f55f7ae9d24b21a82814961d6

        SHA512

        7cef01ca84581df9689d5cd184c2f1a78fd2b25fcdd4dd915e15876f743230b5c34602a7d2c4c9547335c7f22bcb51a05341c0bd43787e6e29f65609aa620a1e

      • memory/408-20257-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

        Filesize

        64KB

      • memory/2644-8-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

      • memory/2644-4-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

      • memory/2644-5-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

      • memory/2644-6-0x0000000000340000-0x0000000000377000-memory.dmp

        Filesize

        220KB

      • memory/2644-7-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

      • memory/2644-0-0x0000000000340000-0x0000000000377000-memory.dmp

        Filesize

        220KB

      • memory/2644-9-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

      • memory/2644-13-0x0000000000340000-0x0000000000377000-memory.dmp

        Filesize

        220KB

      • memory/2644-3-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

      • memory/2644-2-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

      • memory/2644-1-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

      • memory/2820-7505-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

      • memory/2880-20270-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

        Filesize

        64KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.