dharma | 1a05cba6870798d2e73001bf872e4d579460c380c060fd051f33a703f504b8a3

General

Target

2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
Size

92KB
MD5

786ce74458720ec55b824586d2e5666d
SHA1

6f62e7fe75a0876939e0dd95d314b83e25e1e395
SHA256

1a05cba6870798d2e73001bf872e4d579460c380c060fd051f33a703f504b8a3
SHA512

083fe6cde08dac05043ecc0fdbc8b26b0764de7f651ad19e96a937bc27de96242f1763b701b308eab7e0b9a8dd88cbc45e9c891de505b5348581acd4e1495c33
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4A9eAzVbobr+t+NK1GcoDc50cO2tqpbe:Qw+asqN5aW/hL2UVEnHKIcAtcO2tqpb

Score

10^/10

dharma persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe = "C:\\Windows\\System32\\2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe"	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2548970870-3691742953-3895070203-1000\desktop.ini	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\desktop.ini	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

Drops file in System32 directory 1 IoCs

Processes:

2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

description	ioc	process
File created	C:\Windows\System32\2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

Drops file in Program Files directory 64 IoCs

Processes:

2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-125.png	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyDrop32x32.gif	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.boot.tree.dat.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\PREVIEW.GIF	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-125_contrast-white.png	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White@2x.png	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\instrument.dll.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\MedTile.scale-125.png	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White@3x.png.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125.png	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.id-09C4942A.[datacentreback@msgsafe.io].data	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4688 vssadmin.exe

pid	process
4688	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

pid	process
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2440 vssvc.exe
Token: SeRestorePrivilege 2440 vssvc.exe
Token: SeAuditPrivilege 2440 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2440	vssvc.exe
Token: SeRestorePrivilege	2440	vssvc.exe
Token: SeAuditPrivilege	2440	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.execmd.exe

description	pid	process	target process
PID 4604 wrote to memory of 3708	4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe	cmd.exe
PID 4604 wrote to memory of 3708	4604	2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe	cmd.exe
PID 3708 wrote to memory of 2468	3708	cmd.exe	mode.com
PID 3708 wrote to memory of 2468	3708	cmd.exe	mode.com
PID 3708 wrote to memory of 4688	3708	cmd.exe	vssadmin.exe
PID 3708 wrote to memory of 4688	3708	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-12_786ce74458720ec55b824586d2e5666d_crysis.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:2468

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-09C4942A.[datacentreback@msgsafe.io].data
Filesize
2.9MB

MD5
e1e8f2f59ac2c87d3f701195c94c16e4

SHA1
03ea5f3ce03f544f9f2a832bb6dc8fb3ba53b3f4

SHA256
39d95f5c2844cbd0cd4ac10a75a4c908c851cb41dcc849ba5f95c43f27df379a

SHA512
9829d148f8c1371c98494e1511ee6fc52cd7622a7ef6254923e5371565717e06a4fd905df61b52b74ceb288cc66a14694d0cdea32077cd492993f5eb3ede6e1e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads