Resubmissions

03-12-2024 04:56

241203-fkycrawrcm 10

03-12-2024 04:24

241203-e1rz8szmgz 10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 04:24

General

  • Target

    2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe

  • Size

    92KB

  • MD5

    56d8d0386a2dc75b88ca52ddafbd3430

  • SHA1

    165b9b0cb19bd4f849f2431b12028c179be57780

  • SHA256

    9d131d41b278c689424e6713a320e8e410501b17260bdb2a6770d9e407d82df0

  • SHA512

    02048a750b58befcdfe202626af009896d035a8a065d9fa87061fc85b94286e614f73a513ec436355a2edff1c56c53c40238f5f030106ebe9ab989d1c58693d5

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4AgOWEtLXa7ujvLCh2k77Z8fDaQg9EgDCO/v:Qw+asqN5aW/hLiOWsFj0vFaDaQSE3A

Malware Config

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Dharma family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (312) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-03_56d8d0386a2dc75b88ca52ddafbd3430_crysis_dharma.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:2300
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2304
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:780
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:2960
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1760
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:2364
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
          • Modifies Internet Explorer settings
          PID:1600
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1844

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-516D0299.[MAGA24@cyberfear.com].MAGA

        Filesize

        23.5MB

        MD5

        ff2c89f558909f3405c18eb940745e15

        SHA1

        85a8446e6611df77c38add6c68daae059fd821e2

        SHA256

        4d222d0e9df8c29622821f5529718f44f2e172270329a19ed50395ff253dd496

        SHA512

        19a25967042bf36c04d1ca7c1bf0fb05bd1cb4cfd354f06ef2418578f420aeb8fee98c608b7c2282993f1f9f8205ccd46804bd13f12ac5763a647e8105397495

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

        Filesize

        1KB

        MD5

        9b93304e82ff1b7bfefcdba836137f6e

        SHA1

        33166bb2627f512992910a3e09f288a3c1a1de45

        SHA256

        0a938c915325bf1e283e60c600b70580f512d1d8674f83ebb8bc27a3deb19c78

        SHA512

        7def687bb4fbc7a7547299b65e831874eb2eae7ebb24bf6a545c619fc8466658ff5f2a9a15eace4fdcd71d0fdcff667fcaf7b71c8887c4c745484187eda91e45

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.