Overview

overview

10

Static

static

1

RNSM00357.7z

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00357.7z

  • Size

    3.6MB

  • Sample

    241107-z6tfgayfka

  • MD5

    0b758102387a8bf100d557d773127713

  • SHA1

    4fb7f2c833bda0c35b9f71f8ca21bdc1443672cc

  • SHA256

    c53872af15e80f9df934aa3d019244f70702dc4f9b8f5432da3013fabe794a6d

  • SHA512

    a0f897998c39373fc4bec5b5541690be7a4c748300c4b00aaac5d4255d8530fda71fa8f870fec959c26d99ac1d929a2849ac3da630fd66b16821de174f2b385f

  • SSDEEP

    98304:kCRSIuxMklc/dpFMzn8zUj55FZWfX/tYeTsFITZdF:XNL7/dsznaUVrk/m1QF

Score
10/10
dharmatroldeshcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\_HELP_INSTRUCTION.TXT

Ransom Note
All your files have been encrypted! If you want to restore them, write us to the e-mail : [email protected] Write this ID in the title of your message DECRYPT-ID-a2868662-d4bd-4756-b451-527ef4d73f61 number number In case of no answer in 48 hours write us to theese e-mails : [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 files for free decryption. The total size of files must be less than 2 Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beg

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message FBEE38E3 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      RNSM00357.7z

    • Size

      3.6MB

    • MD5

      0b758102387a8bf100d557d773127713

    • SHA1

      4fb7f2c833bda0c35b9f71f8ca21bdc1443672cc

    • SHA256

      c53872af15e80f9df934aa3d019244f70702dc4f9b8f5432da3013fabe794a6d

    • SHA512

      a0f897998c39373fc4bec5b5541690be7a4c748300c4b00aaac5d4255d8530fda71fa8f870fec959c26d99ac1d929a2849ac3da630fd66b16821de174f2b385f

    • SSDEEP

      98304:kCRSIuxMklc/dpFMzn8zUj55FZWfX/tYeTsFITZdF:XNL7/dsznaUVrk/m1QF

    Score
    10/10
    dharmatroldeshcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupx

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Troldesh family

      troldesh

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (316) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Stops running service(s)

      evasionexecution

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks