Analysis
-
max time kernel
150s -
max time network
72s -
platform
windows7_x64 -
resource
win7 -
submitted
22-07-2020 11:36
Static task
static1
Behavioral task
behavioral1
Sample
crysis_rxx.vexe.exe
Resource
win7
Behavioral task
behavioral2
Sample
crysis_rxx.vexe.exe
Resource
win10
General
-
Target
crysis_rxx.vexe.exe
-
Size
92KB
-
MD5
6172709ad4d6c0a3cd305fc14170c41c
-
SHA1
8913a24a75090f4a2907680570b1e180f037d1d9
-
SHA256
6985917d29596b66d9bbc745a13d5577110d9b0408719c5559d23dd59a9e4f0b
-
SHA512
0cc49fb7656a455c8c0fb4a24c95ba9cdb0bab16b9fee69db88e245401e421d3160e591b2a63a097e23151b93e9ef285180d2aeffaac5560c0d400d89c1041c9
Malware Config
Extracted
C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Drops file in System32 directory 2 IoCs
Processes:
crysis_rxx.vexe.exedescription ioc process File created C:\Windows\System32\crysis_rxx.vexe.exe crysis_rxx.vexe.exe File created C:\Windows\System32\Info.hta crysis_rxx.vexe.exe -
Drops startup file 5 IoCs
Processes:
crysis_rxx.vexe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crysis_rxx.vexe.exe crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini crysis_rxx.vexe.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta crysis_rxx.vexe.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
crysis_rxx.vexe.execmd.execmd.exedescription pid process target process PID 1464 wrote to memory of 1552 1464 crysis_rxx.vexe.exe cmd.exe PID 1464 wrote to memory of 1552 1464 crysis_rxx.vexe.exe cmd.exe PID 1464 wrote to memory of 1552 1464 crysis_rxx.vexe.exe cmd.exe PID 1464 wrote to memory of 1552 1464 crysis_rxx.vexe.exe cmd.exe PID 1552 wrote to memory of 1700 1552 cmd.exe mode.com PID 1552 wrote to memory of 1700 1552 cmd.exe mode.com PID 1552 wrote to memory of 1700 1552 cmd.exe mode.com PID 1552 wrote to memory of 1784 1552 cmd.exe vssadmin.exe PID 1552 wrote to memory of 1784 1552 cmd.exe vssadmin.exe PID 1552 wrote to memory of 1784 1552 cmd.exe vssadmin.exe PID 1464 wrote to memory of 1640 1464 crysis_rxx.vexe.exe cmd.exe PID 1464 wrote to memory of 1640 1464 crysis_rxx.vexe.exe cmd.exe PID 1464 wrote to memory of 1640 1464 crysis_rxx.vexe.exe cmd.exe PID 1464 wrote to memory of 1640 1464 crysis_rxx.vexe.exe cmd.exe PID 1640 wrote to memory of 1532 1640 cmd.exe mode.com PID 1640 wrote to memory of 1532 1640 cmd.exe mode.com PID 1640 wrote to memory of 1532 1640 cmd.exe mode.com PID 1640 wrote to memory of 1992 1640 cmd.exe vssadmin.exe PID 1640 wrote to memory of 1992 1640 cmd.exe vssadmin.exe PID 1640 wrote to memory of 1992 1640 cmd.exe vssadmin.exe PID 1464 wrote to memory of 2044 1464 crysis_rxx.vexe.exe mshta.exe PID 1464 wrote to memory of 2044 1464 crysis_rxx.vexe.exe mshta.exe PID 1464 wrote to memory of 2044 1464 crysis_rxx.vexe.exe mshta.exe PID 1464 wrote to memory of 2044 1464 crysis_rxx.vexe.exe mshta.exe PID 1464 wrote to memory of 2028 1464 crysis_rxx.vexe.exe mshta.exe PID 1464 wrote to memory of 2028 1464 crysis_rxx.vexe.exe mshta.exe PID 1464 wrote to memory of 2028 1464 crysis_rxx.vexe.exe mshta.exe PID 1464 wrote to memory of 2028 1464 crysis_rxx.vexe.exe mshta.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1760 vssvc.exe Token: SeRestorePrivilege 1760 vssvc.exe Token: SeAuditPrivilege 1760 vssvc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
crysis_rxx.vexe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crysis_rxx.vexe.exe = "C:\\Windows\\System32\\crysis_rxx.vexe.exe" crysis_rxx.vexe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" crysis_rxx.vexe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" crysis_rxx.vexe.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 288 IoCs
Processes:
crysis_rxx.vexe.exepid process 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe 1464 crysis_rxx.vexe.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Drops desktop.ini file(s) 77 IoCs
Processes:
crysis_rxx.vexe.exedescription ioc process File opened for modification C:\Program Files\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GVV7BJHB\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Searches\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Documents\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Music\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AJM03J3Y\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V8SX06NR\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Libraries\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Desktop\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Videos\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Links\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Downloads\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Videos\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Music\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini crysis_rxx.vexe.exe -
Drops file in Program Files directory 27787 IoCs
Processes:
crysis_rxx.vexe.exedescription ioc process File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Angles.eftx.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE06049_.WMF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14831_.GIF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF crysis_rxx.vexe.exe File created C:\Program Files\Java\jre7\lib\zi\America\Tijuana.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\MSTORE_F_COL.HXK crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SPACER.GIF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OLKIRM.XML.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00040_.GIF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\Office14\FORMS\1033\SECURE.CFG.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\PREVIEW.GIF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14533_.GIF crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\NEWS11.POC.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css crysis_rxx.vexe.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00512_.WMF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00935_.WMF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD00405_.WMF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099177.WMF crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0216540.WMF crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\Office14\CONVERT\1033\ODBCR.SAM.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OFFRHD.DLL crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPAPERS.INI.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21296_.GIF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_hyperlink.gif.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PROOF\MSSP7FR.DLL crysis_rxx.vexe.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH02313_.WMF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml crysis_rxx.vexe.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\NEWS.DPV.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14833_.GIF crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GROOVE.HXS.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen.id-9031F308.[[email protected]].rxx crysis_rxx.vexe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1784 vssadmin.exe 1992 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crysis_rxx.vexe.exe"C:\Users\Admin\AppData\Local\Temp\crysis_rxx.vexe.exe"1⤵
- Drops file in System32 directory
- Drops startup file
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Drops desktop.ini file(s)
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
-
memory/1532-4-0x0000000000000000-mapping.dmp
-
memory/1552-0-0x0000000000000000-mapping.dmp
-
memory/1640-3-0x0000000000000000-mapping.dmp
-
memory/1700-1-0x0000000000000000-mapping.dmp
-
memory/1784-2-0x0000000000000000-mapping.dmp
-
memory/1992-5-0x0000000000000000-mapping.dmp
-
memory/2028-7-0x0000000000000000-mapping.dmp
-
memory/2044-6-0x0000000000000000-mapping.dmp