Resubmissions
05/03/2025, 18:11
250305-wss11avxav 1005/03/2025, 18:06
250305-wprzjavrz9 405/03/2025, 17:59
250305-wkxdfsvvfy 305/03/2025, 17:55
250305-whs81svvdw 305/03/2025, 17:45
250305-wb6wjavtev 805/03/2025, 17:30
250305-v3dhmat1ht 1005/03/2025, 17:26
250305-vzwj2at1c1 305/03/2025, 17:07
250305-vm2khstsax 1005/03/2025, 17:04
250305-vlb88ss1gs 305/03/2025, 16:25
250305-txctgasrs8 8General
-
Target
http://melbet.com
-
Sample
250305-vm2khstsax
Malware Config
Targets
-
-
Target
http://melbet.com
Score10/10-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Renames multiple (716) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Password Policy Discovery
Attempt to access detailed information about the password policy used within an enterprise network.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Power Settings
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Safe Mode Boot
1Indicator Removal
3Clear Windows Event Logs
1File Deletion
2Modify Registry
5Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Password Policy Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Query Registry
5Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Time Discovery
1