Overview

overview

10

Static

static

10

2024-06-14...ma.exe

windows7-x64

10

2024-06-14...ma.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-14_1e671ca2cbefd97438ca78c1cb3aaa33_crysis_dharma.exe

  • Size

    92KB

  • MD5

    1e671ca2cbefd97438ca78c1cb3aaa33

  • SHA1

    8c9937037363e7fcbe09a18ad62c5fb1889f6dfb

  • SHA256

    71d4fe0aebfc24fbd7b7d6009c3a8c5d6ba1c0321ed0858d69b6ede7e9ae3c78

  • SHA512

    23f81119bd65a8cac4826d4ccf85ada3b2e7a48c28c6318fdb82518b6551ae6679fc05c25c40551c65f6eca3c92514564edf08a9ae68f78451607ea910d99fea

  • SSDEEP

    1536:GBwl+KXpsqN5vlwWYyhZ9S4AtdTS2KdAHo3XJ+y+fDDQtT/GF:ww+asqN5aW/hS/dTaJ3Xt+UTu

Score
10/10
dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
We downloaded to our servers and encrypted all your databases and personal information! If you do not write to us within 24 hours, we will start publishing and selling your data on the darknet on hacker sites and offer the information to your competitors email us: [email protected] YOUR ID If you haven't heard back within 24 hours, write to this email: [email protected] IMPORTANT INFORMATION! Keep in mind that once your data appears on our leak site,it could be bought by your competitors at any second, so don't hesitate for a long time.The sooner you pay the ransom, the sooner your company will be safe.. Guarantee:If we don't provide you with a decryptor or delete your data after you pay,no one will pay us in the future. We value our reputation. Guarantee key:To prove that the decryption key exists, we can test the file (not the database and backup) for free. Do not try to decrypt your data using third party software, it may cause permanent data loss. Don't go to recovery companies - they are essentially just middlemen.Decryption of your files with the help of third parties may cause increased price (they add their fee to our) we're the only ones who have the decryption keys.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (323) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-14_1e671ca2cbefd97438ca78c1cb3aaa33_crysis_dharma.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-14_1e671ca2cbefd97438ca78c1cb3aaa33_crysis_dharma.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:2680
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2644
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:1736
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:4008
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:1688
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:3964
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2648

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      2
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-507F5985.[[email protected]].SYSDF
        Filesize

        23.5MB

        MD5

        a77555aae6f500a8d2c78e372f13f471

        SHA1

        cc8b66731bd33b5aba47244a15671da049cc7657

        SHA256

        bbe9435ce489f041f789b97085b86337e7b0178b337958a36483691cda64ee99

        SHA512

        54679df69f50c46028461526272084f3dedf1e59a5508e50974a501da8233b1dc41139b57112df1cecf229105028469d05fe854dded5568088edb3ea9aa5a149

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
        Filesize

        7KB

        MD5

        a5eda077143163f2259d9d9790c547d4

        SHA1

        8cf9afa2b64f33f7c98576742f75d855cfa2bf04

        SHA256

        1104be355b52dcb44496b7bf4d1b148e45e4075b197df16413ac31e4a68bca61

        SHA512

        89f4096fd796df3c0b1c8e2e9d04f1fca5a0b019de8d43f5daf839bf5b8fc6812b8c5488efe50ffe384adfc5b7b20f4730a120b1c1c047c7aaf1ec9fe879518f

        Download Submit
      • memory/3964-20091-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp
        Filesize

        64KB

        Download