Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-06-12...ma.exe

windows7-x64

10

2024-06-12...ma.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-12_76cf59702e9eec0e14fae6da497d999e_crysis_dharma.exe

  • Size

    92KB

  • MD5

    76cf59702e9eec0e14fae6da497d999e

  • SHA1

    5f1b10bbb98e80d9d184a139271d4457407cc3bd

  • SHA256

    8f75e4e2ff12ce8cabe25e9aed3a965d247e2eebff5bccccb2d8efdb4eb6ca3e

  • SHA512

    89037308027f16f95adf9ad44049da01bb4e0138d5baee868ba27806582cf7f3831a184fc2f9f0e3ad84408ddba74786d2663c27c22f719950997ccda3b66540

  • SSDEEP

    1536:GBwl+KXpsqN5vlwWYyhZ9S4A0viICNPpzURZOZAKstB860gkyP2EO8rN:ww+asqN5aW/hSQ9CNPBURZzKsXx3PAEN

Score
10/10
dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (313) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_76cf59702e9eec0e14fae6da497d999e_crysis_dharma.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_76cf59702e9eec0e14fae6da497d999e_crysis_dharma.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:2804
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2708
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3772
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:3792
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:3388
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:2380
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:3420
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1608

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-E2D89CED.[[email protected]].2020
        Filesize

        23.5MB

        MD5

        700f364bd57f943f459c3efd8d2f4ec2

        SHA1

        647eef6d6044bfff50cd6f4e13779ec95c721bbc

        SHA256

        e7a52bf12e556ec0402e49b2332143b2f9337b45c4f0d3bda1a06af39d813da8

        SHA512

        8f67c6b564a56d4bc2bc8036b6af661eec219cb96527cfb2c58f746994bafe9b36ae8fd094e2c0430b482d26d6f6828157949bc2bb440511ffc756ac05da0116

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
        Filesize

        7KB

        MD5

        af97ad0d0edb9ecdae9ec95a1d20110e

        SHA1

        60c4d24787ced7fa73537358badaaebcdcbc8185

        SHA256

        66747805b933661f67d187a6ab02b570e6e1c3080ad16fa095785e765ee1b101

        SHA512

        3d30be173d835e728e71cc171b65e63b057adc3976a7ee75de6a2d95fe72eb3c46f213fce361c901e83af1c994ca13a6c3db556ce147ff5d9bce391af32213c3

        Download Submit