dharma | d223d35d360566205c14a9175d5856a63adaf7464c728526b22baee6e9388018

General

Target

2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
Size

92KB
MD5

187085f60a15d78358d268cf183367e6
SHA1

1e13b0fc5b939e8083963abffda959c33475d161
SHA256

d223d35d360566205c14a9175d5856a63adaf7464c728526b22baee6e9388018
SHA512

52d003c0c257646ae15341f740a4bb5aea2445f796957b8fd7abaa19b0ca612bf2f2fcdf34adc99bfb820e2d6569a0dbb7f7bf0842b6fc6ea534e72c0d816ed9
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4AOHYncfbfTLY+7L+v7/Nthwydlfssi:Qw+asqN5aW/hL+YnGbLY+GzPqyd5

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

z1n All your files have been encrypted! Don't worry, you can return all your files! If you want to restore them, write to the mail: zohodzin@tuta.io YOUR ID zohodzin@cock.li We strongly recommend that you do not use the services of intermediaries and first check the prices and conditions directly with us. The use of intermediaries may involve risks such as: -Overcharging: Intermediaries may charge inflated prices, resulting in improper additional costs to you. -Unjustified debit: There is a risk that your money may be stolen by intermediaries for personal use and they may claim that we did it. -Rejection of the transaction and termination of communication: Intermediaries may refuse to cooperate for personal reasons, which may result in termination of communication and make it difficult to resolve issues. We understand that data loss can be a critical issue, and we are proud to provide you with encrypted data recovery services. We strive to provide you with the highest level of confidence in our abilities and offer the following guarantees: ---Recovery demo: We provide the ability to decrypt up to three files up to 5 MB in size on a demo basis. Please note that these files should not contain important and critical data. Demo recovery is intended to demonstrate our skills and capabilities. ---Guaranteed Quality: We promise that when we undertake your data recovery, we will work with the utmost professionalism and attention to detail to ensure the best possible results. We use advanced technology and techniques to maximize the likelihood of a successful recovery. ---Transparent communication: Our team is always available to answer your questions and provide you with up-to-date information about the data recovery process. We appreciate your participation and feedback. Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

zohodzin@tuta.io

zohodzin@cock.li

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 5 IoCs

Processes:

2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

Loads dropped DLL 8 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

1516 MsiExec.exe
1516 MsiExec.exe
1516 MsiExec.exe
1516 MsiExec.exe
1516 MsiExec.exe
1516 MsiExec.exe
1516 MsiExec.exe
3452 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1516	MsiExec.exe
1516	MsiExec.exe
1516	MsiExec.exe
1516	MsiExec.exe
1516	MsiExec.exe
1516	MsiExec.exe
1516	MsiExec.exe
3452	MsiExec.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe = "C:\\Windows\\System32\\2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe"	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2GIU3NG8\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMDLW4SJ\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BP3UABCB\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FW0P2MZH\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4XCMPANZ\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JJ7YKCO8\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in System32 directory 2 IoCs

Processes:

2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

description	ioc	process
File created	C:\Windows\System32\2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Windows\System32\Info.hta	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYERHM.POC.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293238.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00686_.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODEXL.DLL.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\Proof.XML	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199423.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryLetter.dotx	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Aspect.thmx.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00135_.GIF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignleft.gif.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149481.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14792_.GIF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis.css.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.DPV.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_FR.LEX.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\wxpr.dll.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0252669.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GR8GALRY.GRA	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\setup.ini.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\service.js	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00694_.WMF.id-1097374E.[zohodzin@tuta.io].z1n	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f766e5d.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F96.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f766e60.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI741C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI743C.tmp	msiexec.exe
File created	C:\Windows\Installer\f766e5d.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7004.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI716C.tmp	msiexec.exe
File created	C:\Windows\Installer\f766e60.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7844.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2832 vssadmin.exe
3128 vssadmin.exe

pid	process
2832	vssadmin.exe
3128	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 20 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb open \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler\ = "{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command\ = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb edit \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "\"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exemsiexec.exe

pid	process
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
3576	msiexec.exe
3576	msiexec.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

vssvc.exemsiexec.exe

description	pid	process
Token: SeBackupPrivilege	2640	vssvc.exe
Token: SeRestorePrivilege	2640	vssvc.exe
Token: SeAuditPrivilege	2640	vssvc.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.execmd.execmd.exemsiexec.exe

description	pid	process	target process
PID 2232 wrote to memory of 3000	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	cmd.exe
PID 2232 wrote to memory of 3000	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	cmd.exe
PID 2232 wrote to memory of 3000	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	cmd.exe
PID 2232 wrote to memory of 3000	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	cmd.exe
PID 3000 wrote to memory of 1680	3000	cmd.exe	mode.com
PID 3000 wrote to memory of 1680	3000	cmd.exe	mode.com
PID 3000 wrote to memory of 1680	3000	cmd.exe	mode.com
PID 3000 wrote to memory of 2832	3000	cmd.exe	vssadmin.exe
PID 3000 wrote to memory of 2832	3000	cmd.exe	vssadmin.exe
PID 3000 wrote to memory of 2832	3000	cmd.exe	vssadmin.exe
PID 2232 wrote to memory of 2236	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	cmd.exe
PID 2232 wrote to memory of 2236	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	cmd.exe
PID 2232 wrote to memory of 2236	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	cmd.exe
PID 2232 wrote to memory of 2236	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	cmd.exe
PID 2236 wrote to memory of 3116	2236	cmd.exe	mode.com
PID 2236 wrote to memory of 3116	2236	cmd.exe	mode.com
PID 2236 wrote to memory of 3116	2236	cmd.exe	mode.com
PID 2236 wrote to memory of 3128	2236	cmd.exe	vssadmin.exe
PID 2236 wrote to memory of 3128	2236	cmd.exe	vssadmin.exe
PID 2236 wrote to memory of 3128	2236	cmd.exe	vssadmin.exe
PID 2232 wrote to memory of 3632	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	mshta.exe
PID 2232 wrote to memory of 3632	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	mshta.exe
PID 2232 wrote to memory of 3632	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	mshta.exe
PID 2232 wrote to memory of 3632	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	mshta.exe
PID 2232 wrote to memory of 3500	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	mshta.exe
PID 2232 wrote to memory of 3500	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	mshta.exe
PID 2232 wrote to memory of 3500	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	mshta.exe
PID 2232 wrote to memory of 3500	2232	2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe	mshta.exe
PID 3576 wrote to memory of 1516	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 1516	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 1516	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 1516	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 1516	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 1516	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 1516	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 3452	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 3452	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 3452	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 3452	3576	msiexec.exe	MsiExec.exe
PID 3576 wrote to memory of 3452	3576	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_187085f60a15d78358d268cf183367e6_crysis_dharma.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1680

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2832

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:3116

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3128

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:3632

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:3500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 91F1D9FC851B5EB685DBFC4C27A88934
2⤵
- Loads dropped DLL
PID:1516

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 56532AD9F3189FB7C1158E173CA156DA
2⤵
- Loads dropped DLL
PID:3452

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-1097374E.[zohodzin@tuta.io].z1n
Filesize
206KB

MD5
cf978c8655b9b87a8666634b0b9ff12c

SHA1
b26b9b96ed6c5797cf7c41a71e693d9c7a755be6

SHA256
953c552eef69a4165282d13d3a7f97a254387617a5345d488d7aad82f72e311a

SHA512
8c880956e7b87a09afea1a2350e15129ba065acf3151fe8bdf4fc5073949883d3d6b7bdba59ee52cec2b788526c18209657bcb2ea7e1a897aecab20e9314a5bc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
3KB

MD5
3bb72671a801af5cbee4e64692446b9b

SHA1
2492e54cf0c21f0b65278c80df0dc4538dfa32b0

SHA256
4392903e5dea3932d1c02c44462a4646548427efe4deeed35b2bcd2c233c1823

SHA512
f1bea4facb0d5e5409667c1b07b34dd1bb21a37953e3cb65d102cae83ed5de1b5b41354ac65ad908fe557bb26e1ce99dbef7fb0a330d5cf0fc6df1ea3401783c

Download Submit
C:\Windows\Installer\MSI6EAB.tmp
Filesize
257KB

MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
C:\Windows\Installer\MSI6F96.tmp
Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSI73BD.tmp
Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\MSI743C.tmp
Filesize
148KB

MD5
33908aa43ac0aaabc06a58d51b1c2cca

SHA1
0a0d1ce3435abe2eed635481bac69e1999031291

SHA256
4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

SHA512
d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

Download Submit
C:\Windows\Installer\MSI7844.tmp
Filesize
86KB

MD5
ff58cd07bf4913ef899efd2dfb112553

SHA1
f14c1681de808543071602f17a6299f8b4ba2ae8

SHA256
1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391

SHA512
23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

Download Submit
memory/3632-20107-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads