dharma | 398785f9ad7532ad6d378fa0f23a79aff492561afca6adf8a7df13c71a37aec9

General

Target

2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
Size

92KB
MD5

43eb2adc4b1d22c5564764ce79e2105d
SHA1

fcf5c8f18e0392ad814965f940c3f771aea53eab
SHA256

398785f9ad7532ad6d378fa0f23a79aff492561afca6adf8a7df13c71a37aec9
SHA512

8537af76b3c569f7b4199177413c9410de5f612e4240f05753389e0ed601bfa6477cf9739264bd27d659aecf326488ca8b8eee51976fe37d26441af87d314c74
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4AcFDbjzOx/8di/Laww8NOsC7okPpp3tb1:Qw+asqN5aW/hLKpjzOx/zzaH8UsC9PpB

Score

10^/10

dharma persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe = "C:\\Windows\\System32\\2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe"	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1497073144-2389943819-3385106915-1000\desktop.ini	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

Drops file in System32 directory 1 IoCs

Processes:

2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

description	ioc	process
File created	C:\Windows\System32\2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

Drops file in Program Files directory 64 IoCs

Processes:

2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\7-Zip\7z.exe.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.id-C9DCDBDD.[tutu@download_file].tutu	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

6216 vssadmin.exe
7464 vssadmin.exe

pid	process
6216	vssadmin.exe
7464	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

pid	process
2800	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
2800	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
2800	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
2800	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.execmd.exe

description	pid	process	target process
PID 2800 wrote to memory of 4492	2800	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe	cmd.exe
PID 2800 wrote to memory of 4492	2800	2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe	cmd.exe
PID 4492 wrote to memory of 4084	4492	cmd.exe	mode.com
PID 4492 wrote to memory of 4084	4492	cmd.exe	mode.com

C:\Users\Admin\AppData\Local\Temp\2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe
"C:\Users\Admin\AppData\Local\Temp\2023-12-29_43eb2adc4b1d22c5564764ce79e2105d_crysis_dharma.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:4084

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:6216

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:8776

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:7464

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:5020

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:7096

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:5948