File name: | 89583b4e7d88aa33f3d5f300c5271c5c61fd6ea4f8910289f1eb4083bf44527094711ff30b760ec8001c577e46b1e0c4100d9f4ddd919eab8fb536fe16298783 |
Full analysis: | https://app.any.run/tasks/3b990b14-2ae4-4180-bdb0-77e83e77d50f |
Verdict: | Malicious activity |
Threats: | Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information. |
Analysis date: | October 05, 2022, 07:45:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | B56F8983427DF33C3D50C97407DBEF8E |
SHA1: | 275ADE619ACF47E84DC2406E082E3C54B33A8780 |
SHA256: | 49C56E5D45BB55760E0BCA8E551133B21656E0E213DCF2F1A4FB22EB575D01CD |
SSDEEP: | 24576:PdCGjg5mPsWCmFg3EqthzMjMNGaHMRbRVew0RJaES/UVGlesXUiKSqY9TPiir5VV:PdCGjg5cCmqUqthrciw0Rgi8kiqMjiiR |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3104 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\89583b4e7d88aa33f3d5f300c5271c5c61fd6ea4f8910289f1eb4083bf44527094711ff30b760ec8001c577e46b1e0c4100d9f4ddd919eab8fb536fe16298783.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 |
(PID) Process: | (3104) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3104) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3104) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3104) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (3104) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3104) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\89583b4e7d88aa33f3d5f300c5271c5c61fd6ea4f8910289f1eb4083bf44527094711ff30b760ec8001c577e46b1e0c4100d9f4ddd919eab8fb536fe16298783.rar | |||
(PID) Process: | (3104) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3104) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3104) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3104) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3104 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3104.16143\STOP RANSOM.exe | executable | |
MD5:9F566B7CBFA1CDF326A58A73F36BC74C | SHA256:970A7F3A8E1CAF695DFF4A62F2C9DA51289F3EEA0C7F534DCFCB6CD403F1684B | |||
3104 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3104.16143\FREYA.exe | executable | |
MD5:60FA17BEB53BCDE9CBFF22D88DC94EBA | SHA256:8CBB55FCA2E9518391C95A2F6307EFB895533A20C9F1248A947CDA16771C9346 | |||
3104 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3104.16143\conti.exe | executable | |
MD5:58AEA2AAC89947773DFAE8E3859E20B0 | SHA256:39B74B2FB057E8C78A2BA6639CF3D58AE91685E6AC13B57B70D2AFB158CF742D | |||
3104 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3104.16143\dharma.exe | executable | |
MD5:BA67DD5AB7D6061704F2903573CEC303 | SHA256:6B1F4DF924FB0E5067DF18DFC5063D409F3BF2EE0D14B381B3F583E0D0DA3AE5 | |||
3104 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3104.16143\RECNYC.exe | executable | |
MD5:D7CC6C987C68A88DEFDAB3A59070777E | SHA256:15CC3CAD7AEC406A9EC93554C9EAF0BFBCC740BEF9D52DBC32BF559E90F53FEE |