Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 16:45

General

  • Target

    2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

  • Size

    92KB

  • MD5

    43eb2adc4b1d22c5564764ce79e2105d

  • SHA1

    fcf5c8f18e0392ad814965f940c3f771aea53eab

  • SHA256

    398785f9ad7532ad6d378fa0f23a79aff492561afca6adf8a7df13c71a37aec9

  • SHA512

    8537af76b3c569f7b4199177413c9410de5f612e4240f05753389e0ed601bfa6477cf9739264bd27d659aecf326488ca8b8eee51976fe37d26441af87d314c74

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4AcFDbjzOx/8di/Laww8NOsC7okPpp3tb1:Qw+asqN5aW/hLKpjzOx/zzaH8UsC9PpB

Malware Config

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (313) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    1⤵
    • Interacts with shadow copies
    PID:2776
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2804
  • C:\Windows\system32\mode.com
    mode con cp select=1251
    1⤵
      PID:2500
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:848
    • C:\Users\Admin\AppData\Local\Temp\2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
      "C:\Users\Admin\AppData\Local\Temp\2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe"
      1⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:3880
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
        2⤵
        • Modifies Internet Explorer settings
        PID:3884
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3020
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 241BDC425FD48903DF95C77656A147D7
        2⤵
        • Loads dropped DLL
        PID:2120
      • C:\Windows\system32\MsiExec.exe
        C:\Windows\system32\MsiExec.exe -Embedding 91F1D9FC85665EB685DBFC4C27A87B34
        2⤵
        • Loads dropped DLL
        PID:1208
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      1⤵
      • Interacts with shadow copies
      PID:3752
    • C:\Windows\system32\mode.com
      mode con cp select=1251
      1⤵
        PID:760

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      2
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Collection

      Data from Local System

      1
      T1005

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id-D1AF6AEB.[tutu@download_file].tutu
        Filesize

        92KB

        MD5

        36a5e68c48806c485f5654c10f31474d

        SHA1

        4cbb488a15f33abfa8031b902aa0e55c9cc1bb1e

        SHA256

        44791e323249b7a22e8f41aae028e04f3efc42c19a35eb158f8c5494e0b8a3bf

        SHA512

        602a771f3bfa6adb9dcf7a55b1aa15cb6bbdb1c50388007acee3ff73bc004bd7fe665c9c9ec29351e277aa8951976086ba920d36672e4e9148ec14bcb5d7d74b