Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 03:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe
-
Size
92KB
-
MD5
12f4660349ce0934b349151b4bd9f65c
-
SHA1
9334fd66e9114405e328df960b0cc7685dff228f
-
SHA256
913d5701360bffd2f5acbb6facb8f1a5021beef815adaeb6ac1273345d6d05e5
-
SHA512
2c3bb5fb8f3e4d6c46ea4028fe80a12542cab0d0446f24f1f164e3ecbe9663f19b2accd6919a1e7697d16a40c210b5eb509e9690cc38e8a72f26e644b188b8a0
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4AgOWEtLXa7ujvLCh2k77Z8fDaQg9EgDCO/vf:Qw+asqN5aW/hLiOWsFj0vFaDaQSE3A3
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (525) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe = "C:\\Windows\\System32\\2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe" 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Public\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Public\Music\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Windows\System32\Info.hta 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark.gif.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder-default.svg.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\dd_arrow_small.png.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\preloaded_data.pb.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\ui-strings.js 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_id.dll 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-125_contrast-black.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ExtendedSplashScreen.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-math-l1-1-0.dll.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Medium.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\sqmapi.dll 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\ui-strings.js.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.boot.tree.dat.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-32.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files\Java\jdk-1.8\bin\javac.exe.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\no_get.svg 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\msvcp110.dll 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxSignature.p7x 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-200.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\resource.dll.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-200.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-125.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-72.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ui-strings.js 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare-2x.png.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\AppStore_icon.svg 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Regular.otf.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\xlsrvintl.dll.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-100.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\ui-strings.js 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-cn_get.svg 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\ui-strings.js 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libgestures_plugin.dll.id-F377D531.[[email protected]].MAGA 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24.png 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 6256 vssadmin.exe 10048 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 920 vssvc.exe Token: SeRestorePrivilege 920 vssvc.exe Token: SeAuditPrivilege 920 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2040 wrote to memory of 4260 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 83 PID 2040 wrote to memory of 4260 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 83 PID 4260 wrote to memory of 1108 4260 cmd.exe 85 PID 4260 wrote to memory of 1108 4260 cmd.exe 85 PID 4260 wrote to memory of 6256 4260 cmd.exe 86 PID 4260 wrote to memory of 6256 4260 cmd.exe 86 PID 2040 wrote to memory of 4144 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 91 PID 2040 wrote to memory of 4144 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 91 PID 4144 wrote to memory of 3308 4144 cmd.exe 93 PID 4144 wrote to memory of 3308 4144 cmd.exe 93 PID 4144 wrote to memory of 10048 4144 cmd.exe 94 PID 4144 wrote to memory of 10048 4144 cmd.exe 94 PID 2040 wrote to memory of 5176 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 95 PID 2040 wrote to memory of 5176 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 95 PID 2040 wrote to memory of 9764 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 96 PID 2040 wrote to memory of 9764 2040 2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-11_12f4660349ce0934b349151b4bd9f65c_crysis_dharma.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:1108
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:6256
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:3308
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:10048
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:5176
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:9764
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:920
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-F377D531.[[email protected]].MAGA
Filesize2.7MB
MD5fb11be9e5ca4a987109403a3b771f35f
SHA1fd2afdd2b126c3028b3cb508ec19a139a8b7a54f
SHA25646b7b466f27d994a86357c04e1c8adc86f77c4c89f1a2d45acaeed0759cbc88d
SHA512094162108229c53af6518861bd36e1f0a372d0ecbcb47e9553992cdb9501b874336ad043c708a8c51f92e9a0b88ed06e2e167372658ab54ec851b824119a0a27
-
Filesize
1KB
MD52a239305093e970b55d0856d2213daa1
SHA1a5640453356ccf847dfd84d424e89d76e60b7e41
SHA25690d7f8f6eeb20904a25d8c4571772afbe309fce72c8ea89ac28aa809451dba6d
SHA5123ca361a4d3a6db60537b04a139b1769bd27e4b4bb22d15b8c300b0481670b2f13bbd4be4c3b035bc528fa32fdf8ae420e6e41ca5daaf1af8ca8e77cb99fe9291