dharma | dfedd70ec623c4ed1c0301be4085237905edb6ee317306c3e3652fb29924ef65

General

Target

2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
Size

92KB
MD5

ec753315ec4b04a00ae8b5dfb6c45e63
SHA1

a903115ffa6f3594ba3034e27d7d296832fb51f8
SHA256

dfedd70ec623c4ed1c0301be4085237905edb6ee317306c3e3652fb29924ef65
SHA512

496a5f7bf2ada536dcabdd58f595388e6ba74df5496033a4324576aa72a1a35ffa738c3dd12147ceb8688808c7a26bd4acc86d94dba0100e906b1d4835def534
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4ArMTFLulwJ9dj2o/GWXmIhtt8:Qw+asqN5aW/hLaTFLUQbH/IIny

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL payday@tfwno.gf IN THE LETTER WRITE YOUR ID, YOUR ID 5FECB4F3 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: payday@keemail.me YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

payday@tfwno.gf

payday@keemail.me

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (503) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

Drops startup file 5 IoCs

Processes:

2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe = "C:\\Windows\\System32\\2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe"	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

Drops file in System32 directory 2 IoCs

Processes:

2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

description	ioc	process
File created	C:\Windows\System32\2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Windows\System32\Info.hta	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-environment-l1-1-0.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-disabled.svg.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\ui-strings.js.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-100.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-32_altform-unplated.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_connect.targetsize-48.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner_process.svg.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ca.pak.DATA.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\System.Windows.Forms.resources.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\BlurredGradientBackground.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_100_percent.pak	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Controls.Ribbon.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\splashscreen.scale-200.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark@3x.png.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-40_altform-unplated.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated_contrast-white.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\plugin.js.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_opencarat_18.svg.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ui-strings.js	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Controls.Ribbon.resources.dll	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\PresentationCore.resources.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\System.Xaml.resources.dll	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\PREVIEW.GIF	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\ui-strings.js.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\ui-strings.js	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_hu.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNG.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_contrast-white.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordcnvr.dll	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromaprint_plugin.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\ReachFramework.resources.dll	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\PresentationCore.resources.dll.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Web.HttpUtility.dll	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.id-5FECB4F3.[payday@tfwno.gf].html	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

5384 vssadmin.exe
3280 vssadmin.exe

pid	process
5384	vssadmin.exe
3280	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

pid	process
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4880 vssvc.exe
Token: SeRestorePrivilege 4880 vssvc.exe
Token: SeAuditPrivilege 4880 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4880	vssvc.exe
Token: SeRestorePrivilege	4880	vssvc.exe
Token: SeAuditPrivilege	4880	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.execmd.execmd.exe

description	pid	process	target process
PID 116 wrote to memory of 1320	116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe	cmd.exe
PID 116 wrote to memory of 1320	116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe	cmd.exe
PID 1320 wrote to memory of 1676	1320	cmd.exe	mode.com
PID 1320 wrote to memory of 1676	1320	cmd.exe	mode.com
PID 1320 wrote to memory of 3280	1320	cmd.exe	vssadmin.exe
PID 1320 wrote to memory of 3280	1320	cmd.exe	vssadmin.exe
PID 116 wrote to memory of 1592	116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe	cmd.exe
PID 116 wrote to memory of 1592	116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe	cmd.exe
PID 1592 wrote to memory of 3188	1592	cmd.exe	mode.com
PID 1592 wrote to memory of 3188	1592	cmd.exe	mode.com
PID 1592 wrote to memory of 5384	1592	cmd.exe	vssadmin.exe
PID 1592 wrote to memory of 5384	1592	cmd.exe	vssadmin.exe
PID 116 wrote to memory of 5672	116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe	mshta.exe
PID 116 wrote to memory of 5672	116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe	mshta.exe
PID 116 wrote to memory of 5400	116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe	mshta.exe
PID 116 wrote to memory of 5400	116	2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe	mshta.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-15_ec753315ec4b04a00ae8b5dfb6c45e63_crysis_dharma.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1676

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3280

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:3188

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5384

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:5672

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:5400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-5FECB4F3.[payday@tfwno.gf].html
Filesize
2.9MB

MD5
3aa7799c663d4e1cc66c9e24c31ba3f9

SHA1
4216cb6e0da3d44a7d33c5affadabefe9ae7c751

SHA256
7d6f9e6993fbba9fefd66cacf7b7cd7f4df3fb4368c8834003628a42be710b8b

SHA512
25edd3ee12483d1305d47f3b1811fad9be73628112aaf06ce01d51b8cbe7b389131131f06896476fd5405c8b3c48f4225c283ea41c9b4d25111d473601b0d9eb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
13KB

MD5
9b5255055014114526e496e93e99ef77

SHA1
5fc0aa234cafa6770cfcba1e65a9ed1cea04c3ae

SHA256
29f3952258dc40cb5f5b98d03430ddab42b165e3f3012fbb778110ee89400631

SHA512
316c6434e3884cbd0e612f0821034bc851971327057dc48af40e9347d872c85f2735bda383e4699860c311a1a789a262fbfe52e70aa1a46e74b5dc9f406dc22f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
1KB

MD5
76736b900147c986c6160ceaa82f7ebd

SHA1
ed4d82597259cc8650e346984266a80b9e9db8d7

SHA256
52d574d2937f2f111bbc7a7878b7a902337b19e362e587f7be831a7adcd7e353

SHA512
03374e268576a3935d5ddca2469e587f6025c2b60350a67698b973d98de707b346d6db0b40e2eaaf85cb8a854fc4d790d59191beca4220b5d55c642b4f13a2b1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads