Dharma Ransomware

********************Summary of Attack**************************
  • Adversary brute forced internet-exposed RDP endpoint
  • Copied binaries to Victim machine
  • Cleared Windows Event Logs
  • Deleted Shadow Copies
  • Dump credential hashes via mimikatz
  • Executed ransomware executable
  • Remotes (RDP) to other machines to perform same process

********************Mitre Attack Mapping**************************

************************Adversary Timeline**************************

***********************2020-08-01 10:08:18 UTC*********************
MITRE – Initial Access – External Remote Services -T1133
The adversary successfully brute forced our internet-exposed RDP endpoint.


*******************2020-08-01 10:09:53 UTC*************************
Adversary drops DefenderControl.exe  to disk:

**********************2020-08-01 10:10:23 UTC**********************
Adversary drops numerous windows binaries to disk (below in page)

*********************2020-08-01 10:10:32 UTC***********************
Adversary  Executes DEL.exe :
DEL.exe drops  \Local\Temp\8B02.tmp\8B13.tmp\8B14.bat
DEL.exe launches child process CMD.exe

*********************2020-08-01 10:10:38 UTC***********************
MITRE –  Defense Evasion -Indicator Removal on Host:
Child process CMD.exe launches multiple process invoking wevtutil.exe aiming at multiple Window event logs

**********************2020-08-01 10:10:41 UTC**********************
MITRE – Discovery – Network Service Scanning – T1046
 Adversary launches NS64.exe – Appears to be tools similar to nmap.exe

*********************2020-08-01 10:13:20 UTC**********************
 MITRE – Impact – Inhibit System Recovery  – T1490
 Adversary launches WMIC and vssadmin.exe to delete shadowcopies
 vssadmin Delete Shadows /All /Quiet

**********************2020-08-01 10:10:23 UTC**********************
Adversary drops additional windows binaries to disk (below in page)

**********************2020-08-01 10:15:14***************************
 MITRE – OS Credential Dumping – Credential Access – T1003
Adversary executes mimikatz.exe to obtain credentials

***********************2020-08-01 10:17:37**************************
 MITRE – Discovery – Network Service Scanning – T1046
Adversary performed arp -a and pipes it to a files for later use.


***********************2020-08-01 10:17:39**************************
MITRE – Lateral Movement – Remote Services: Remote Desktop Protocol – T1021.001
 Adversary executes rdp.exe and attempts RDP connections against live hosts on the LAN

***********************2020-08-01 10:34:20**************************
 MITRE – Impact – Data Encrypted for Impact
 Adversary launches binary that encrypts data


DefenderControl.exeSHA256 HASH
DEL32.exeSHA256 HASH
NS32.exeSHA256 HASH
NS64.exeSHA256 HASH
pay.exeSHA256 HASH
rdp.exeSHA256 HASH
RDView.exeSHA256 HASH
Adversary executed pay.exe encrypting attack tools
DEL.exe launching child processes
Windows Security Event Log ID- 4625 – Evidence of Windows Brute Forcing