Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 19:38

General

  • Target

    2024-06-14_fff3eef6bd88375c945c6e824aaada61_crysis_dharma.exe

  • Size

    92KB

  • MD5

    fff3eef6bd88375c945c6e824aaada61

  • SHA1

    b0039998d6502abf669c930fb6aed54ff0d897c0

  • SHA256

    6d45dd640c89364d88a3c7cb31d045790b7604c788da59851cc6f68b8d5a7348

  • SHA512

    2cb33b419d15fb175c3cf3aa04a6fb04b2afd8d9ad55875576fd57a809da5a201a9c196f635446846d1618aa20b1bf84f8d1cf2c4b8e0058045c3a2bf77dc268

  • SSDEEP

    1536:GBwl+KXpsqN5vlwWYyhZ9S4AY362F8v3Fm6b+awACy3mMP6:ww+asqN5aW/hSy362FSSuCvF

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (666) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-14_fff3eef6bd88375c945c6e824aaada61_crysis_dharma.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-14_fff3eef6bd88375c945c6e824aaada61_crysis_dharma.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:5460
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1228
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:8148
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:3608
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:7848
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:5468
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:6852
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4884

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-6CBA663F.[[email protected]].eur

            Filesize

            3.2MB

            MD5

            88ef10e27211a39015eb565b2d6bca40

            SHA1

            09ccbf60bd0dc5871b9233b5096ff85cad17690d

            SHA256

            5c56bbc7c8e7acf3edf69e2caa799db2bdb3c77ef9deec0cc2302c208c68b49b

            SHA512

            519503431def44884a9adfa38d13266f2133357ba0c2278b8bb91e4cb5a825f51b63ce220d68cfc9fe68bd9ccd7f4e4d616d92b3969b4b1a97e98a23321f3bb9

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

            Filesize

            7KB

            MD5

            fdf84b0fe588270fa7731174d8677025

            SHA1

            304f8d613bccf74a8a930aad17fe61ae9304a600

            SHA256

            c8b1e02b3010184ceef8250982adb7675e143bcb08d042f905041ecf7bd866ab

            SHA512

            3898937f0038100d76e5e53c98c5dfe13d58bade1c30dd135d67926e6f8a417ec1b059dab93598550b0c8963e06429af32f241c8359d0703d2a0ed27a7e6dcfc