Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    156s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2023, 10:43

General

  • Target

    2023-05-29_4c6a424ad657cc896926ea9ba095dc77_crysis.exe

  • Size

    92KB

  • MD5

    4c6a424ad657cc896926ea9ba095dc77

  • SHA1

    dcffd7bad08bd5ddd88f9dce66956b329f25fa26

  • SHA256

    017b9f584f114b80d16295204766121250f9178bf7c6bbbc2545f448fdf43cac

  • SHA512

    77007125ba292109ca63dacffca3507276bfa3ec4c0a91bd3d35a13087d19f1e108dbd37caa223e802c11c69d84ca30a1a966387cc0ace1b243e495c6326e1b0

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4ALIuoiaqPZbIz4zQmm+7PAplOLsN4WZ:Qw+asqN5aW/hLNjoT8zF7Pf

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (475) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-05-29_4c6a424ad657cc896926ea9ba095dc77_crysis.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-05-29_4c6a424ad657cc896926ea9ba095dc77_crysis.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:4340
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3796
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:6308
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:6324
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1104
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:1560
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:7128
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:756

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-6F66A2EF.[[email protected]].data

            Filesize

            2.9MB

            MD5

            bb82c69c239510b68bd82377e6a330b5

            SHA1

            3d0991eda4a66cde0fb61ea018d43bdbf421b7b4

            SHA256

            2752e82b276403581222b1359321f5f0d9df2dfa70745d62c47149a7a6369c05

            SHA512

            762754fdca62981f6b9a0376c774704d3bd13087cd9621170a1c2b510b0f5c40759d74257472f099fe20fac439f1e23000fcfefdf6ddc59d52090ff03045b9c5

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

            Filesize

            7KB

            MD5

            b7ef5b94f403647b1b56fd42bfe52966

            SHA1

            759cf9db52075096241a79795adfd3cf0199b79a

            SHA256

            f3b13fdaacd39128fbccc54ce63d657dd40de192155609707635c040dd5025e1

            SHA512

            4bf27ea64dbc510586c8da411d763060365838920a8b0a34cf193c3368dbddbaf7e024c6b5d20d86a3de79101cbcdda7aafbd1dd56b98c2fc90ae81739c13f99

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

            Filesize

            7KB

            MD5

            b7ef5b94f403647b1b56fd42bfe52966

            SHA1

            759cf9db52075096241a79795adfd3cf0199b79a

            SHA256

            f3b13fdaacd39128fbccc54ce63d657dd40de192155609707635c040dd5025e1

            SHA512

            4bf27ea64dbc510586c8da411d763060365838920a8b0a34cf193c3368dbddbaf7e024c6b5d20d86a3de79101cbcdda7aafbd1dd56b98c2fc90ae81739c13f99