Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/06/2024, 19:53

General

  • Target

    2024-06-11_e7336fd4620b673218b73b52d3d359f4_crysis_dharma.exe

  • Size

    92KB

  • MD5

    e7336fd4620b673218b73b52d3d359f4

  • SHA1

    ea64c1177ca3cd54a906a7a3ed93efb140305e5f

  • SHA256

    19cd6b2b765dae01da69b7070b96551a14237ea1b0192bb8282e76af07bef6ae

  • SHA512

    162d709c280ffd76a4482e1cab5c5609cbee0d547a13af6f6f7d086b193351d60136e7129c3e7de633335f93bd0a970982ad3446b27cb2e2c29325bb7e34783e

  • SSDEEP

    1536:GBwl+KXpsqN5vlwWYyhZ9S4A3CnBt8WKuKZLlKYy2lsC:ww+asqN5aW/hSFEX8WKuulvyKsC

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
DELTACAFES YOUR FILES ARE ENCRYPTED Don't worry, you can return all your files! ALL FILES ARE DOWLOADED TO OUR SERVER If you want to restore them, write to the mail: [email protected] YOUR ID [email protected] ATTENTION for DELTA We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (316) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-11_e7336fd4620b673218b73b52d3d359f4_crysis_dharma.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-11_e7336fd4620b673218b73b52d3d359f4_crysis_dharma.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:2888
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2596
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3984
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:412
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1880
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:2784
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:3096
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

        Filesize

        2KB

        MD5

        2a5fe25f3cd4651134b6d26f5f287d27

        SHA1

        0ce953e3610460ba76d2a480baf73bc7d9363b19

        SHA256

        8db3d398605c51ea415384c87ea19dc82f05fbe240847451fa1196944280e861

        SHA512

        e83e64170248deabffb93e68865d568235cfb602d6fdf4b156d980b3cb72a426edb44bf84420190a5e4fdcc474b2913d8c9f1cdc820c00ad9e0141cb86d7678e