Dharma Ransomware

********************Summary of Attack**************************
  • Adversary brute forced internet-exposed RDP endpoint
  • Copied binaries to Victim machine
  • Cleared Windows Event Logs
  • Deleted Shadow Copies
  • Dump credential hashes via mimikatz
  • Executed ransomware executable
  • Remotes (RDP) to other machines to perform same process

********************Mitre Attack Mapping**************************

************************Adversary Timeline**************************

***********************2020-08-01 10:08:18 UTC*********************
MITRE – Initial Access – External Remote Services -T1133
The adversary successfully brute forced our internet-exposed RDP endpoint.

 

*******************2020-08-01 10:09:53 UTC*************************
Adversary drops DefenderControl.exe  to disk:




**********************2020-08-01 10:10:23 UTC**********************
Adversary drops numerous windows binaries to disk (below in page)



*********************2020-08-01 10:10:32 UTC***********************
Adversary  Executes DEL.exe :
DEL.exe drops  \Local\Temp\8B02.tmp\8B13.tmp\8B14.bat
DEL.exe launches child process CMD.exe



*********************2020-08-01 10:10:38 UTC***********************
MITRE –  Defense Evasion -Indicator Removal on Host:
Child process CMD.exe launches multiple process invoking wevtutil.exe aiming at multiple Window event logs




**********************2020-08-01 10:10:41 UTC**********************
MITRE – Discovery – Network Service Scanning – T1046
 Adversary launches NS64.exe – Appears to be tools similar to nmap.exe




*********************2020-08-01 10:13:20 UTC**********************
 MITRE – Impact – Inhibit System Recovery  – T1490
 Adversary launches WMIC and vssadmin.exe to delete shadowcopies
 wmic SHADOWCOPY DELETE
 vssadmin Delete Shadows /All /Quiet



**********************2020-08-01 10:10:23 UTC**********************
Adversary drops additional windows binaries to disk (below in page)




**********************2020-08-01 10:15:14***************************
 MITRE – OS Credential Dumping – Credential Access – T1003
Adversary executes mimikatz.exe to obtain credentials




***********************2020-08-01 10:17:37**************************
 MITRE – Discovery – Network Service Scanning – T1046
Adversary performed arp -a and pipes it to a files for later use.

 



***********************2020-08-01 10:17:39**************************
 
MITRE – Lateral Movement – Remote Services: Remote Desktop Protocol – T1021.001
 Adversary executes rdp.exe and attempts RDP connections against live hosts on the LAN



***********************2020-08-01 10:34:20**************************
 MITRE – Impact – Data Encrypted for Impact
 Adversary launches binary that encrypts data

******************************IOCs*********************************

DefenderControl.exeSHA256 HASH
e718433938681677597d0359051a59d12c3fbf977115fcc6ea45341e4c84f098
DEL.exeSHA256 HASH
2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c
DEL32.exeSHA256 HASH
126dbba4050ca023d2123ac78e66c03634698409e52d30a4d45d04efb2862027
NS32.exeSHA256 HASH
2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c
NS64.exeSHA256 HASH
2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c
pay.exeSHA256 HASH
2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c
rdp.exeSHA256 HASH
2f579518e5610dd7b97d764741b441c2b8788581c8efe324dc3f6769298f521c
RDView.exeSHA256 HASH
2de799c403eb79acf4c44de1cd9c622f5ae0054601bf187f9c581197e7c93229
Adversary executed pay.exe encrypting attack tools
DEL.exe launching child processes
Windows Security Event Log ID- 4625 – Evidence of Windows Brute Forcing