Dharma Ransomware Event
Dharma Ransomware Event
AI Analysis
Technical Summary
The Dharma ransomware is a malware family known for encrypting victims' data to extort ransom payments. It primarily targets systems through the exploitation of external remote services (MITRE ATT&CK T1133) and the use of valid accounts (T1078), indicating that attackers often gain initial access by compromising legitimate credentials or leveraging exposed remote access protocols such as RDP. Once inside the network, Dharma employs scripting techniques (T1064) to automate its malicious activities, including file and directory discovery (T1083) and network share discovery (T1135), to identify valuable data and propagate across networked systems. The ransomware then encrypts data for impact (T1486), rendering files inaccessible and demanding payment for decryption keys. Despite its impactful behavior, the threat is currently assessed with a low severity rating, possibly due to limited exploitation in the wild or the availability of defensive measures. No patches are available for this ransomware, as it exploits access vectors rather than software vulnerabilities. Indicators of compromise are not provided, which may complicate detection efforts. The attack chain suggests that initial access is often gained through compromised credentials or exposed remote services, followed by lateral movement and encryption activities. The lack of known exploits in the wild and absence of a CVSS score indicate that while the ransomware is a known threat, its current operational impact may be limited or targeted.
Potential Impact
For European organizations, Dharma ransomware poses a significant risk to data confidentiality, integrity, and availability. Successful infection results in widespread encryption of files, potentially crippling business operations, especially in sectors reliant on continuous data access such as manufacturing, healthcare, and finance. The use of valid accounts and external remote services as attack vectors means that organizations with remote access infrastructure or weak credential management are particularly vulnerable. The ransomware’s ability to discover network shares and directories facilitates rapid lateral movement, increasing the scope of impact within an enterprise. Although currently rated as low severity, the operational disruption and potential financial losses from ransom payments, downtime, and recovery efforts can be substantial. Additionally, the lack of patches means organizations must rely on preventive controls and incident response capabilities. The threat also underscores the importance of securing remote access and credential hygiene to prevent initial compromise. Given the ransomware’s persistence and adaptability, European organizations should remain vigilant to prevent potential escalations or variants with higher impact.
Mitigation Recommendations
1. Enforce strong multi-factor authentication (MFA) on all remote access services to mitigate risks associated with compromised valid accounts. 2. Restrict and monitor remote desktop protocol (RDP) and other external remote services by limiting access to trusted IP addresses and using VPNs with strict access controls. 3. Implement robust credential management policies, including regular password changes, use of password managers, and monitoring for credential leaks on dark web sources. 4. Deploy network segmentation to limit lateral movement, ensuring that critical systems and network shares are isolated and access is granted on a least-privilege basis. 5. Utilize endpoint detection and response (EDR) solutions capable of detecting scripting activities and unusual file access patterns indicative of ransomware behavior. 6. Maintain up-to-date offline backups with tested restoration procedures to ensure data recovery without paying ransom. 7. Conduct regular user training focused on phishing and social engineering tactics that may lead to credential compromise. 8. Monitor logs for unusual authentication attempts, especially from external sources, and implement automated alerts for suspicious activities. 9. Disable or limit scripting capabilities where not necessary, or apply application control policies to restrict execution of unauthorized scripts. 10. Establish an incident response plan specifically addressing ransomware scenarios, including containment, eradication, and recovery steps.
Affected Countries
Germany, United Kingdom, France, Italy, Spain, Netherlands, Poland, Belgium
Indicators of Compromise
- ip: 217.138.202.116
- yara: /* YARA Rule Set Author: DFIR Report Date: 2020-06-12 Identifier: dharma-06-12-20 Reference: https://thedfirreport.com/ */ /* Rule Set ----------------------------------------------------------------- */ import "pe" rule vssadmin_Shadow_bat { meta: description = "dharma-06-12-20 - file Shadow.bat" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878" strings: $s1 = "vssadmin delete shadows /all" fullword ascii condition: uint16(0) == 0x7376 and filesize < 1KB and all of them } rule Network_Scanner_post_exploit_enumeration { meta: description = "dharma-06-12-20 - file NS.exe" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446" strings: $s1 = "CreateMutex error: %d" fullword ascii $s2 = "--Error mount \\\\%s\\%s Code: %d" fullword wide $s3 = "-Found share \\\\%s\\%s" fullword wide $s4 = "--Share \\\\%s\\%s successfully mounted" fullword wide $s5 = "host %s is up" fullword ascii $s6 = "Get ip: %s and mask: %s" fullword wide $s7 = "GetAdaptersInfo failed with error: %d" fullword wide $s8 = "# Network scan and mount include chek for unmounted local volumes. #" fullword wide $s9 = "####################################################################" fullword wide /* reversed goodware string '####################################################################' */ $s10 = "Share %s successfully mounted" fullword wide $s11 = "Error mount %s %d" fullword wide $s12 = "Failed to create thread." fullword ascii $s13 = " start scan for shares. " fullword wide $s14 = "# '98' was add for standalone usage! #" fullword wide $s15 = "Error, wrong value." fullword wide $s16 = "QueryDosDeviceW failed with error code %d" fullword wide $s17 = "FindFirstVolumeW failed with error code %d" fullword wide $s18 = "FindNextVolumeW failed with error code %d" fullword wide $s19 = "SetVolumeMountPointW failed with error code %d" fullword wide $s20 = "| + scan local volumes for unmounted drives. |" fullword wide condition: uint16(0) == 0x5a4d and filesize < 400KB and ( pe.imphash() == "0b0d8152ea7241cce613146b80a998fd" or 8 of them ) } rule Dharma_ransomware_1pgp { meta: description = "dharma-06-12-20 - file 1pgp.exe" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b" strings: $x1 = "C:\\crysis\\Release\\PDB\\payload.pdb" fullword ascii $s2 = "sssssbsss" fullword ascii $s3 = "sssssbs" fullword ascii $s4 = "9c%Q%f" fullword ascii $s5 = "jNYZO\\" fullword ascii $s6 = "RSDS%~m" fullword ascii $s7 = "xy ?*5" fullword ascii $s8 = "<a-g6J" fullword ascii $s9 = "]q)WtH?" fullword ascii $s10 = "s=9uo^" fullword ascii $s11 = "\"iMw\\e" fullword ascii $s12 = "{?nT*}2g" fullword ascii $s13 = "h*UqD*" fullword ascii $s14 = "b,_f n7" fullword ascii $s15 = "+mm7S%I" fullword ascii $s16 = "+L]DAb" fullword ascii $s17 = "nq0<3AD" fullword ascii $s18 = "U2cUbO" fullword ascii $s19 = ";C!|E2z" fullword ascii $s20 = "P)8$X=" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and ( pe.imphash() == "f86dec4a80961955a89e7ed62046cc0e" or ( 1 of ($x*) or 4 of them ) ) } rule closeapps_bat { meta: description = "dharma-06-12-20 - file closeapps.bat" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "e25245f98a23596e03e51535beb0f73c000de63e473580c4c26e7b8b01b4e593" strings: $x1 = "taskkill /F /IM MSExchangeTransportLogSearch.exe" fullword ascii $x2 = "taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe" fullword ascii $x3 = "taskkill /F /IM MSExchangeTransport.exe" fullword ascii $x4 = "taskkill /F /IM EdgeTransport.exe" fullword ascii $x5 = "taskkill /F /IM Microsoft.Exchange.ServiceHost.exe" fullword ascii $x6 = "taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe" fullword ascii $x7 = "taskkill /F /IM agent.exe" fullword ascii $x8 = "taskkill /F /IM fdhost.exe" fullword ascii $x9 = "taskkill /F /IM MSExchangeThrottling.exe" fullword ascii $x10 = "taskkill /F /IM sqlagentc.exe" fullword ascii $x11 = "taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe" fullword ascii $x12 = "taskkill /F /IM Veeam.Backup.CatalogDataService.exe" fullword ascii $x13 = "taskkill /F /IM cbInterface.exe" fullword ascii $x14 = "taskkill /F /IM httpd.exe" fullword ascii $x15 = "taskkill /F /IM VeeamTransportSvc.exe" fullword ascii $x16 = "taskkill /F /IM cbService.exe" fullword ascii $x17 = "taskkill /F /IM Veeam.Backup.BrokerService.exe" fullword ascii $x18 = "taskkill /F /IM wsusservice.exe" fullword ascii $x19 = "taskkill /F /IM pvxcom.exe" fullword ascii $x20 = "taskkill /F /IM Veeam.Backup.MountService.exe" fullword ascii condition: uint16(0) == 0x6c3a and filesize < 10KB and 1 of ($x*) } rule LogDelete_bat { meta: description = "dharma-06-12-20 - file LogDelete.bat" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "e17ca6c764352c0a74e1e6b80278bb4395588df4bed64833b1b127ea2ca5c5fd" strings: $s1 = "FOR /F \"delims=\" %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL \"%%I\") " fullword ascii condition: uint16(0) == 0x4f46 and filesize < 1KB and all of them } rule Everything_seach_tool { meta: description = "dharma-06-12-20 - file Everything.exe" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413" strings: $x1 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\" xmlns:asmv3=\"urn:schemas-microsoft-com:asm.v3\"><a" ascii $s2 = "\" version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\"></assemblyIdentity></depen" ascii $s3 = "http://www.voidtools.com/downloads/" fullword ascii $s4 = "http://www.voidtools.com/downloads/#language" fullword ascii $s5 = "Folder\\shell\\%s\\command" fullword ascii $s6 = "Directory\\background\\shell\\%s\\command" fullword ascii $s7 = "Directory\\Background\\shell\\%s\\command" fullword ascii $s8 = "yIdentity version=\"1.0.0.0\" processorArchitecture=\"*\" name=\"Everything\" type=\"win32\"></assemblyIdentity><description>Eve" ascii $s9 = "; settings stored in %APPDATA%\\Everything\\Everything.ini" fullword ascii $s10 = "Host the pipe server with the security descriptor." fullword ascii $s11 = "http://www.voidtools.com/support/everything/" fullword ascii $s12 = "username:password@host:port" fullword ascii $s13 = "<html><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><meta name=\"viewport\" content=\"width=512\"><head" ascii $s14 = "\\\\.\\PIPE\\Everything Service" fullword ascii $s15 = "Everything Service Debug Log.txt" fullword wide $s16 = "Auto detect will attempt to read file contents with the associated IFilter." fullword ascii $s17 = "processed %I64u / %I64u file records" fullword ascii $s18 = "SERVICE_SERVER_COMMAND_REFS_MONITOR_READ_USN_JOURNAL_DATA read ok %d" fullword ascii $s19 = "Store settings and data in %APPDATA%\\Everything?" fullword ascii $s20 = "http://www.voidtools.com/donate/" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 5000KB and ( pe.imphash() == "e7a8222fca78bde6fe29c9cc10d97ca2" or ( 1 of ($x*) or 4 of them ) ) } /* Super Rules ------------------------------------------------------------- */ rule Everything_search_tool_super { meta: description = "dharma-06-12-20 - from files Everything.exe, Everything.exe" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413" hash2 = "35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413" strings: $s1 = "-disable-run-as-admin" fullword ascii /* Goodware String - occured 1 times */ $s2 = "type=%s;" fullword ascii /* Goodware String - occured 1 times */ $s3 = "EVERYTHING" fullword ascii /* Goodware String - occured 1 times */ $s4 = "-install-run-on-system-startup" fullword ascii /* Goodware String - occured 2 times */ $s5 = "-uninstall-url-protocol" fullword ascii /* Goodware String - occured 2 times */ $s6 = "-app-data" fullword ascii /* Goodware String - occured 2 times */ $s7 = "-uninstall-service" fullword ascii /* Goodware String - occured 2 times */ $s8 = "-uninstall-efu-association" fullword ascii /* Goodware String - occured 2 times */ condition: ( uint16(0) == 0x5a4d and filesize < 5000KB and pe.imphash() == "e7a8222fca78bde6fe29c9cc10d97ca2" and ( all of them ) ) or ( all of them ) }
- link: https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/
- malware-sample: 1pgp.exe|1ebb6bb49ac1077c5e7eba4d56f6a3a1
- file: 1pgp.exe
- hash: 1ebb6bb49ac1077c5e7eba4d56f6a3a1
- hash: 1a37bb789c7bdda44330fd55aa292f5f76dada5d
- hash: 2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b
- size-in-bytes: 94720
- malware-sample: closeapps.bat|9b0d6df42f879ba969f82c7a0ab48bc6
- file: closeapps.bat
- hash: 9b0d6df42f879ba969f82c7a0ab48bc6
- hash: b5d6f94f270a02abedc7484dc7214d15d2cee99e
- hash: e25245f98a23596e03e51535beb0f73c000de63e473580c4c26e7b8b01b4e593
- size-in-bytes: 3611
- malware-sample: Everything.exe|8add121fa398ebf83e8b5db8f17b45e0
- file: Everything.exe
- hash: 8add121fa398ebf83e8b5db8f17b45e0
- hash: c8107e5c5e20349a39d32f424668139a36e6cfd0
- hash: 35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413
- size-in-bytes: 1668200
- malware-sample: LogDelete.bat|fb9c610ba195f9b18a96b84c5e755df7
- file: LogDelete.bat
- hash: fb9c610ba195f9b18a96b84c5e755df7
- hash: 5e4f2074850cce0eab4d6165807e86c88b5b8c0b
- hash: e17ca6c764352c0a74e1e6b80278bb4395588df4bed64833b1b127ea2ca5c5fd
- size-in-bytes: 63
- malware-sample: NS.exe|597de376b1f80c06d501415dd973dcec
- file: NS.exe
- hash: 597de376b1f80c06d501415dd973dcec
- hash: 629c9649ced38fd815124221b80c9d9c59a85e74
- hash: f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
- size-in-bytes: 128000
- text: %USERPROFILE%\Desktop\Oc\NS.exe
- malware-sample: Shadow.bat|df8394082a4e5b362bdcb17390f6676d
- file: Shadow.bat
- hash: df8394082a4e5b362bdcb17390f6676d
- hash: 5750248ff490ceec03d17ee9811ac70176f46614
- hash: da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878
- size-in-bytes: 28
Dharma Ransomware Event
Description
Dharma Ransomware Event
AI-Powered Analysis
Technical Analysis
The Dharma ransomware is a malware family known for encrypting victims' data to extort ransom payments. It primarily targets systems through the exploitation of external remote services (MITRE ATT&CK T1133) and the use of valid accounts (T1078), indicating that attackers often gain initial access by compromising legitimate credentials or leveraging exposed remote access protocols such as RDP. Once inside the network, Dharma employs scripting techniques (T1064) to automate its malicious activities, including file and directory discovery (T1083) and network share discovery (T1135), to identify valuable data and propagate across networked systems. The ransomware then encrypts data for impact (T1486), rendering files inaccessible and demanding payment for decryption keys. Despite its impactful behavior, the threat is currently assessed with a low severity rating, possibly due to limited exploitation in the wild or the availability of defensive measures. No patches are available for this ransomware, as it exploits access vectors rather than software vulnerabilities. Indicators of compromise are not provided, which may complicate detection efforts. The attack chain suggests that initial access is often gained through compromised credentials or exposed remote services, followed by lateral movement and encryption activities. The lack of known exploits in the wild and absence of a CVSS score indicate that while the ransomware is a known threat, its current operational impact may be limited or targeted.
Potential Impact
For European organizations, Dharma ransomware poses a significant risk to data confidentiality, integrity, and availability. Successful infection results in widespread encryption of files, potentially crippling business operations, especially in sectors reliant on continuous data access such as manufacturing, healthcare, and finance. The use of valid accounts and external remote services as attack vectors means that organizations with remote access infrastructure or weak credential management are particularly vulnerable. The ransomware’s ability to discover network shares and directories facilitates rapid lateral movement, increasing the scope of impact within an enterprise. Although currently rated as low severity, the operational disruption and potential financial losses from ransom payments, downtime, and recovery efforts can be substantial. Additionally, the lack of patches means organizations must rely on preventive controls and incident response capabilities. The threat also underscores the importance of securing remote access and credential hygiene to prevent initial compromise. Given the ransomware’s persistence and adaptability, European organizations should remain vigilant to prevent potential escalations or variants with higher impact.
Mitigation Recommendations
1. Enforce strong multi-factor authentication (MFA) on all remote access services to mitigate risks associated with compromised valid accounts. 2. Restrict and monitor remote desktop protocol (RDP) and other external remote services by limiting access to trusted IP addresses and using VPNs with strict access controls. 3. Implement robust credential management policies, including regular password changes, use of password managers, and monitoring for credential leaks on dark web sources. 4. Deploy network segmentation to limit lateral movement, ensuring that critical systems and network shares are isolated and access is granted on a least-privilege basis. 5. Utilize endpoint detection and response (EDR) solutions capable of detecting scripting activities and unusual file access patterns indicative of ransomware behavior. 6. Maintain up-to-date offline backups with tested restoration procedures to ensure data recovery without paying ransom. 7. Conduct regular user training focused on phishing and social engineering tactics that may lead to credential compromise. 8. Monitor logs for unusual authentication attempts, especially from external sources, and implement automated alerts for suspicious activities. 9. Disable or limit scripting capabilities where not necessary, or apply application control policies to restrict execution of unauthorized scripts. 10. Establish an incident response plan specifically addressing ransomware scenarios, including containment, eradication, and recovery steps.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 3
- Analysis
- 0
- Uuid
- 5ee3822c-6828-418c-b619-62de950d210f
- Original Timestamp
- 1592742357
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip217.138.202.116 | rdp actor login source |
Yara
| Value | Description | Copy |
|---|---|---|
yara/*
YARA Rule Set
Author: DFIR Report
Date: 2020-06-12
Identifier: dharma-06-12-20
Reference: https://thedfirreport.com/
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule vssadmin_Shadow_bat {
meta:
description = "dharma-06-12-20 - file Shadow.bat"
author = "DFIR Report"
reference = "https://thedfirreport.com/"
date = "2020-06-12"
hash1 = "da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878"
strings:
$s1 = "vssadmin delete shadows /all" fullword ascii
condition:
uint16(0) == 0x7376 and filesize < 1KB and
all of them
}
rule Network_Scanner_post_exploit_enumeration {
meta:
description = "dharma-06-12-20 - file NS.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/"
date = "2020-06-12"
hash1 = "f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446"
strings:
$s1 = "CreateMutex error: %d" fullword ascii
$s2 = "--Error mount \\\\%s\\%s Code: %d" fullword wide
$s3 = "-Found share \\\\%s\\%s" fullword wide
$s4 = "--Share \\\\%s\\%s successfully mounted" fullword wide
$s5 = "host %s is up" fullword ascii
$s6 = "Get ip: %s and mask: %s" fullword wide
$s7 = "GetAdaptersInfo failed with error: %d" fullword wide
$s8 = "# Network scan and mount include chek for unmounted local volumes. #" fullword wide
$s9 = "####################################################################" fullword wide /* reversed goodware string '####################################################################' */
$s10 = "Share %s successfully mounted" fullword wide
$s11 = "Error mount %s %d" fullword wide
$s12 = "Failed to create thread." fullword ascii
$s13 = " start scan for shares. " fullword wide
$s14 = "# '98' was add for standalone usage! #" fullword wide
$s15 = "Error, wrong value." fullword wide
$s16 = "QueryDosDeviceW failed with error code %d" fullword wide
$s17 = "FindFirstVolumeW failed with error code %d" fullword wide
$s18 = "FindNextVolumeW failed with error code %d" fullword wide
$s19 = "SetVolumeMountPointW failed with error code %d" fullword wide
$s20 = "| + scan local volumes for unmounted drives. |" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and
( pe.imphash() == "0b0d8152ea7241cce613146b80a998fd" or 8 of them )
}
rule Dharma_ransomware_1pgp {
meta:
description = "dharma-06-12-20 - file 1pgp.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/"
date = "2020-06-12"
hash1 = "2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b"
strings:
$x1 = "C:\\crysis\\Release\\PDB\\payload.pdb" fullword ascii
$s2 = "sssssbsss" fullword ascii
$s3 = "sssssbs" fullword ascii
$s4 = "9c%Q%f" fullword ascii
$s5 = "jNYZO\\" fullword ascii
$s6 = "RSDS%~m" fullword ascii
$s7 = "xy ?*5" fullword ascii
$s8 = "<a-g6J" fullword ascii
$s9 = "]q)WtH?" fullword ascii
$s10 = "s=9uo^" fullword ascii
$s11 = "\"iMw\\e" fullword ascii
$s12 = "{?nT*}2g" fullword ascii
$s13 = "h*UqD*" fullword ascii
$s14 = "b,_f n7" fullword ascii
$s15 = "+mm7S%I" fullword ascii
$s16 = "+L]DAb" fullword ascii
$s17 = "nq0<3AD" fullword ascii
$s18 = "U2cUbO" fullword ascii
$s19 = ";C!|E2z" fullword ascii
$s20 = "P)8$X=" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and
( pe.imphash() == "f86dec4a80961955a89e7ed62046cc0e" or ( 1 of ($x*) or 4 of them ) )
}
rule closeapps_bat {
meta:
description = "dharma-06-12-20 - file closeapps.bat"
author = "DFIR Report"
reference = "https://thedfirreport.com/"
date = "2020-06-12"
hash1 = "e25245f98a23596e03e51535beb0f73c000de63e473580c4c26e7b8b01b4e593"
strings:
$x1 = "taskkill /F /IM MSExchangeTransportLogSearch.exe" fullword ascii
$x2 = "taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe" fullword ascii
$x3 = "taskkill /F /IM MSExchangeTransport.exe" fullword ascii
$x4 = "taskkill /F /IM EdgeTransport.exe" fullword ascii
$x5 = "taskkill /F /IM Microsoft.Exchange.ServiceHost.exe" fullword ascii
$x6 = "taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe" fullword ascii
$x7 = "taskkill /F /IM agent.exe" fullword ascii
$x8 = "taskkill /F /IM fdhost.exe" fullword ascii
$x9 = "taskkill /F /IM MSExchangeThrottling.exe" fullword ascii
$x10 = "taskkill /F /IM sqlagentc.exe" fullword ascii
$x11 = "taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe" fullword ascii
$x12 = "taskkill /F /IM Veeam.Backup.CatalogDataService.exe" fullword ascii
$x13 = "taskkill /F /IM cbInterface.exe" fullword ascii
$x14 = "taskkill /F /IM httpd.exe" fullword ascii
$x15 = "taskkill /F /IM VeeamTransportSvc.exe" fullword ascii
$x16 = "taskkill /F /IM cbService.exe" fullword ascii
$x17 = "taskkill /F /IM Veeam.Backup.BrokerService.exe" fullword ascii
$x18 = "taskkill /F /IM wsusservice.exe" fullword ascii
$x19 = "taskkill /F /IM pvxcom.exe" fullword ascii
$x20 = "taskkill /F /IM Veeam.Backup.MountService.exe" fullword ascii
condition:
uint16(0) == 0x6c3a and filesize < 10KB and
1 of ($x*)
}
rule LogDelete_bat {
meta:
description = "dharma-06-12-20 - file LogDelete.bat"
author = "DFIR Report"
reference = "https://thedfirreport.com/"
date = "2020-06-12"
hash1 = "e17ca6c764352c0a74e1e6b80278bb4395588df4bed64833b1b127ea2ca5c5fd"
strings:
$s1 = "FOR /F \"delims=\" %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL \"%%I\") " fullword ascii
condition:
uint16(0) == 0x4f46 and filesize < 1KB and
all of them
}
rule Everything_seach_tool {
meta:
description = "dharma-06-12-20 - file Everything.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/"
date = "2020-06-12"
hash1 = "35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413"
strings:
$x1 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\" xmlns:asmv3=\"urn:schemas-microsoft-com:asm.v3\"><a" ascii
$s2 = "\" version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\"></assemblyIdentity></depen" ascii
$s3 = "http://www.voidtools.com/downloads/" fullword ascii
$s4 = "http://www.voidtools.com/downloads/#language" fullword ascii
$s5 = "Folder\\shell\\%s\\command" fullword ascii
$s6 = "Directory\\background\\shell\\%s\\command" fullword ascii
$s7 = "Directory\\Background\\shell\\%s\\command" fullword ascii
$s8 = "yIdentity version=\"1.0.0.0\" processorArchitecture=\"*\" name=\"Everything\" type=\"win32\"></assemblyIdentity><description>Eve" ascii
$s9 = "; settings stored in %APPDATA%\\Everything\\Everything.ini" fullword ascii
$s10 = "Host the pipe server with the security descriptor." fullword ascii
$s11 = "http://www.voidtools.com/support/everything/" fullword ascii
$s12 = "username:password@host:port" fullword ascii
$s13 = "<html><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><meta name=\"viewport\" content=\"width=512\"><head" ascii
$s14 = "\\\\.\\PIPE\\Everything Service" fullword ascii
$s15 = "Everything Service Debug Log.txt" fullword wide
$s16 = "Auto detect will attempt to read file contents with the associated IFilter." fullword ascii
$s17 = "processed %I64u / %I64u file records" fullword ascii
$s18 = "SERVICE_SERVER_COMMAND_REFS_MONITOR_READ_USN_JOURNAL_DATA read ok %d" fullword ascii
$s19 = "Store settings and data in %APPDATA%\\Everything?" fullword ascii
$s20 = "http://www.voidtools.com/donate/" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and
( pe.imphash() == "e7a8222fca78bde6fe29c9cc10d97ca2" or ( 1 of ($x*) or 4 of them ) )
}
/* Super Rules ------------------------------------------------------------- */
rule Everything_search_tool_super {
meta:
description = "dharma-06-12-20 - from files Everything.exe, Everything.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/"
date = "2020-06-12"
hash1 = "35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413"
hash2 = "35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413"
strings:
$s1 = "-disable-run-as-admin" fullword ascii /* Goodware String - occured 1 times */
$s2 = "type=%s;" fullword ascii /* Goodware String - occured 1 times */
$s3 = "EVERYTHING" fullword ascii /* Goodware String - occured 1 times */
$s4 = "-install-run-on-system-startup" fullword ascii /* Goodware String - occured 2 times */
$s5 = "-uninstall-url-protocol" fullword ascii /* Goodware String - occured 2 times */
$s6 = "-app-data" fullword ascii /* Goodware String - occured 2 times */
$s7 = "-uninstall-service" fullword ascii /* Goodware String - occured 2 times */
$s8 = "-uninstall-efu-association" fullword ascii /* Goodware String - occured 2 times */
condition:
( uint16(0) == 0x5a4d and filesize < 5000KB and pe.imphash() == "e7a8222fca78bde6fe29c9cc10d97ca2" and ( all of them )
) or ( all of them )
} | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/ | — |
Malware sample
| Value | Description | Copy |
|---|---|---|
malware-sample1pgp.exe|1ebb6bb49ac1077c5e7eba4d56f6a3a1 | — | |
malware-samplecloseapps.bat|9b0d6df42f879ba969f82c7a0ab48bc6 | — | |
malware-sampleEverything.exe|8add121fa398ebf83e8b5db8f17b45e0 | — | |
malware-sampleLogDelete.bat|fb9c610ba195f9b18a96b84c5e755df7 | — | |
malware-sampleNS.exe|597de376b1f80c06d501415dd973dcec | — | |
malware-sampleShadow.bat|df8394082a4e5b362bdcb17390f6676d | — |
File
| Value | Description | Copy |
|---|---|---|
file1pgp.exe | — | |
filecloseapps.bat | — | |
fileEverything.exe | — | |
fileLogDelete.bat | — | |
fileNS.exe | — | |
fileShadow.bat | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash1ebb6bb49ac1077c5e7eba4d56f6a3a1 | — | |
hash1a37bb789c7bdda44330fd55aa292f5f76dada5d | — | |
hash2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b | — | |
hash9b0d6df42f879ba969f82c7a0ab48bc6 | — | |
hashb5d6f94f270a02abedc7484dc7214d15d2cee99e | — | |
hashe25245f98a23596e03e51535beb0f73c000de63e473580c4c26e7b8b01b4e593 | — | |
hash8add121fa398ebf83e8b5db8f17b45e0 | — | |
hashc8107e5c5e20349a39d32f424668139a36e6cfd0 | — | |
hash35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413 | — | |
hashfb9c610ba195f9b18a96b84c5e755df7 | — | |
hash5e4f2074850cce0eab4d6165807e86c88b5b8c0b | — | |
hashe17ca6c764352c0a74e1e6b80278bb4395588df4bed64833b1b127ea2ca5c5fd | — | |
hash597de376b1f80c06d501415dd973dcec | — | |
hash629c9649ced38fd815124221b80c9d9c59a85e74 | — | |
hashf47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446 | — | |
hashdf8394082a4e5b362bdcb17390f6676d | — | |
hash5750248ff490ceec03d17ee9811ac70176f46614 | — | |
hashda3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878 | — |
Size in-bytes
| Value | Description | Copy |
|---|---|---|
size-in-bytes94720 | — | |
size-in-bytes3611 | — | |
size-in-bytes1668200 | — | |
size-in-bytes63 | — | |
size-in-bytes128000 | — | |
size-in-bytes28 | — |
Text
| Value | Description | Copy |
|---|---|---|
text%USERPROFILE%\Desktop\Oc\NS.exe | — |
Threat ID: 682c7adce3e6de8ceb7789e8
Added to database: 5/20/2025, 12:51:40 PM
Last enriched: 6/19/2025, 2:18:53 PM
Last updated: 8/17/2025, 3:26:34 PM
Views: 14
Related Threats
ThreatFox IOCs for 2025-08-18
MediumWarLock Ransomware group Claims Breach at Colt Telecom and Hitachi
HighThreatFox IOCs for 2025-08-17
MediumColt Technology faces multi-day outage after WarLock ransomware attack
HighU.S. seizes $2.8 million in crypto from Zeppelin ransomware operator
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.