| File name: | wetransfer-1986d4.zip |
| Full analysis: | https://app.any.run/tasks/1af79d74-d92e-4ba8-b485-bdba524bfb77 |
| Verdict: | Malicious activity |
| Threats: | Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information. |
| Analysis date: | November 29, 2018, 17:27:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | B31A75166A83BAF550F09CCF98B0BEB4 |
| SHA1: | 62E5AF92D1C746B773AB5FBF9AC635AFACD8F0A5 |
| SHA256: | 51B9826A67F6A2CE73E49AAA255CEE159BBFD6B8ED3980932F3744F880BE9EEC |
| SSDEEP: | 3072:TlKAW7Ii0NXS2cm/qSE18Y44m5Fh4c3V1w+asqN5aW/hLNorgbe2ROJMzZZn1NL:TlKAbvS0ZEsXw+E6shL2rgbZZn7 |
MALICIOUS
Application was dropped or rewritten from another process
- local.exe (PID: 3464)
- expIorer.exe (PID: 3144)
- local.exe (PID: 2264)
Dropped file may contain instructions of ransomware
- WinRAR.exe (PID: 2932)
Writes to a start menu file
- expIorer.exe (PID: 3144)
Changes the autorun value in the registry
- expIorer.exe (PID: 3144)
Runs app for hidden code execution
- expIorer.exe (PID: 3144)
Deletes shadow copies
- cmd.exe (PID: 3552)
Renames files like Ransomware
- expIorer.exe (PID: 3144)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2932)
- expIorer.exe (PID: 3144)
Creates files in the user directory
- expIorer.exe (PID: 3144)
Creates files in the Windows directory
- expIorer.exe (PID: 3144)
Starts CMD.EXE for commands execution
- expIorer.exe (PID: 3144)
Creates files in the program directory
- expIorer.exe (PID: 3144)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2018:11:29 17:26:21 |
| ZipCRC: | 0x63585834 |
| ZipCompressedSize: | 13913 |
| ZipUncompressedSize: | 13913 |
| ZipFileName: | Info.hta |
Total processes
48
Monitored processes
8
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2264 | "C:\Users\admin\Desktop\local.exe" | C:\Users\admin\Desktop\local.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225786 Modules
| |||||||||||||||
| 2268 | mode con cp select=1251 | C:\Windows\system32\mode.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: DOS Device MODE Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2640 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2932 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\wetransfer-1986d4.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 3144 | "C:\Users\admin\Desktop\expIorer.exe" | C:\Users\admin\Desktop\expIorer.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3396 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3464 | "C:\Users\admin\Desktop\local.exe" | C:\Users\admin\Desktop\local.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3552 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | expIorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
458
Read events
433
Write events
25
Delete events
0
Modification events
| (PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\wetransfer-1986d4.zip | |||
| (PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | @C:\Windows\System32\mshta.exe,-6412 |
Value: HTML Application | |||
| (PID) Process: | (2932) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
Executable files
5
Suspicious files
116
Text files
1
Unknown types
9
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3144 | expIorer.exe | C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.id-C4BA3647.[cyberwars@qq.com].war | — | |
MD5:— | SHA256:— | |||
| 3144 | expIorer.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.ini | — | |
MD5:— | SHA256:— | |||
| 3144 | expIorer.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\desktop.ini | — | |
MD5:— | SHA256:— | |||
| 3144 | expIorer.exe | C:\config.sys | — | |
MD5:— | SHA256:— | |||
| 3144 | expIorer.exe | C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml | — | |
MD5:— | SHA256:— | |||
| 3144 | expIorer.exe | C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml | — | |
MD5:— | SHA256:— | |||
| 3144 | expIorer.exe | C:\autoexec.bat | — | |
MD5:— | SHA256:— | |||
| 3144 | expIorer.exe | C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.id-C4BA3647.[cyberwars@qq.com].war | — | |
MD5:— | SHA256:— | |||
| 3144 | expIorer.exe | C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml | — | |
MD5:— | SHA256:— | |||
| 3144 | expIorer.exe | C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report