Overview

overview

10

Static

static

3

2023-05-12...is.exe

windows7-x64

10

2023-05-12...is.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2023 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

  • Size

    92KB

  • MD5

    786ce74458720ec55b824586d2e5666d

  • SHA1

    6f62e7fe75a0876939e0dd95d314b83e25e1e395

  • SHA256

    1a05cba6870798d2e73001bf872e4d579460c380c060fd051f33a703f504b8a3

  • SHA512

    083fe6cde08dac05043ecc0fdbc8b26b0764de7f651ad19e96a937bc27de96242f1763b701b308eab7e0b9a8dd88cbc45e9c891de505b5348581acd4e1495c33

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4A9eAzVbobr+t+NK1GcoDc50cO2tqpbe:Qw+asqN5aW/hL2UVEnHKIcAtcO2tqpb

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email datacentreback@msgsafe.io YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: moriartydata@onionmail.org Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

datacentreback@msgsafe.io

moriartydata@onionmail.org

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:2508
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2472
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:5180
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1056
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:2264
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:1592
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4220

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          1
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-AA828466.[datacentreback@msgsafe.io].data
            Filesize

            2.9MB

            MD5

            2d665c27d5167cf881d42557346f17d6

            SHA1

            32a6daf58c92616f29454dcbe028a054d71f314a

            SHA256

            bad484d6b98006eaa5f9178d14c336c2b5aec3efa847583f3bbb7e429558606a

            SHA512

            714e33d5d9acc712cdd65de107c1e3a0385eaff51c46828f900544239407ea8a1f90fafdddc7b9ac4b4fd7ab354595c5445005eee7ed9c5225f421a6f0c47221

            Download Submit
          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            204eb47ae3737636f41cb838515310b1

            SHA1

            4dbba4c98bc806c8128ca9d80b4442dbf0144f39

            SHA256

            a333fe6919cb2d868b89507356fb42724c7cfd881b2c241a26334de338b7958c

            SHA512

            4b030814820f04175737c26e42f92d474459b97bf1fa6cdd11c57970c6a9acaa8f0feb1ebdbfe57c230dd4d4602c9f67765cd22717407edfa779f3f4dfd233d6

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            204eb47ae3737636f41cb838515310b1

            SHA1

            4dbba4c98bc806c8128ca9d80b4442dbf0144f39

            SHA256

            a333fe6919cb2d868b89507356fb42724c7cfd881b2c241a26334de338b7958c

            SHA512

            4b030814820f04175737c26e42f92d474459b97bf1fa6cdd11c57970c6a9acaa8f0feb1ebdbfe57c230dd4d4602c9f67765cd22717407edfa779f3f4dfd233d6

            Download Submit