Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2025, 07:04

General

  • Target

    2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe

  • Size

    200KB

  • MD5

    8f55ce9352a6fb03e3d87f8ed1ffaa7f

  • SHA1

    1c5d21857b4329fee9257d8608134b2f94ea149c

  • SHA256

    590d3c67a0d4bdcfdabdc579ba3ef3e035144c7b422af7d083d30f6f53ce7cc4

  • SHA512

    3d2dfa038b24aa2e4bfdcef334fbe03679a9c56fcbc47267fb4dd4e2cdbd6906c2711c82573399ee7a91932ac5cec998b9053ffdd68ae61f8f4802d0d48c4b6e

  • SSDEEP

    6144:yw+E6shLjgYIz+X303peGbfUTpYDDmu/+3fbY:ycjgLzs0sG+pG/YY

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Dharma family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (655) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 268
        3⤵
        • Program crash
        PID:3908
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:2188
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4188
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:232
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:1340
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:7292
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:2156
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:8028
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2488 -ip 2488
            1⤵
              PID:4968
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:6544

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-852A5109.[[email protected]].IPM

              Filesize

              2.7MB

              MD5

              35af4eded5261a19e9e40a440a61aee5

              SHA1

              1b2249000c7a68da794328a4011f71d420addfee

              SHA256

              a7d03497919f4919d7c323fb4d1b5bb4ddfcce223389682764476b03c6e5c1c8

              SHA512

              e3f3c3fc095808c1b7e2817a838e024bd36bec69bc1e4fd5dab6aa23352594e84cd4587616eb5085b78845c810a8aa34e6f1e9b9e9388e824ed41a4213953a71

            • C:\Users\Admin\AppData\Local\Temp\2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnitmgr.exe

              Filesize

              105KB

              MD5

              d5ca6e1f080abc64bbb11e098acbeabb

              SHA1

              1849634bf5a65e1baddddd4452c99dfa003e2647

              SHA256

              30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

              SHA512

              aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

              Filesize

              7KB

              MD5

              8bc0dc7ee81fee8fc86af828d4244416

              SHA1

              c7c6fc0760c3ebbaa06b6e88abacdfdc597be18d

              SHA256

              4b6cc0756db2397d6fe1c297f3fd4dfaa5a2bf97e028b2f8040345a3b91e1a67

              SHA512

              3b5263e4809b9e83fd176f733220cf7c77a3e72308f98196829f20d06ff39766ea094111a00413f8450b906076e615328e01f5953b7cebfa314b5a7d598bc354

            • memory/2488-5-0x0000000000400000-0x000000000045D000-memory.dmp

              Filesize

              372KB

            • memory/2488-6-0x00000000004D0000-0x00000000004D1000-memory.dmp

              Filesize

              4KB

            • memory/2488-5095-0x0000000000400000-0x000000000045D000-memory.dmp

              Filesize

              372KB

            • memory/2592-0-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

            • memory/2592-25416-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB