Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10 -
submitted
22-07-2020 11:36
Static task
static1
Behavioral task
behavioral1
Sample
crysis_rxx.vexe.exe
Resource
win7
Behavioral task
behavioral2
Sample
crysis_rxx.vexe.exe
Resource
win10
General
-
Target
crysis_rxx.vexe.exe
-
Size
92KB
-
MD5
6172709ad4d6c0a3cd305fc14170c41c
-
SHA1
8913a24a75090f4a2907680570b1e180f037d1d9
-
SHA256
6985917d29596b66d9bbc745a13d5577110d9b0408719c5559d23dd59a9e4f0b
-
SHA512
0cc49fb7656a455c8c0fb4a24c95ba9cdb0bab16b9fee69db88e245401e421d3160e591b2a63a097e23151b93e9ef285180d2aeffaac5560c0d400d89c1041c9
Malware Config
Extracted
C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Drops file in System32 directory 2 IoCs
Processes:
crysis_rxx.vexe.exedescription ioc process File created C:\Windows\System32\crysis_rxx.vexe.exe crysis_rxx.vexe.exe File created C:\Windows\System32\Info.hta crysis_rxx.vexe.exe -
Suspicious behavior: EnumeratesProcesses 568 IoCs
Processes:
crysis_rxx.vexe.exepid process 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe 3652 crysis_rxx.vexe.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3980 vssvc.exe Token: SeRestorePrivilege 3980 vssvc.exe Token: SeAuditPrivilege 3980 vssvc.exe -
Drops desktop.ini file(s) 70 IoCs
Processes:
crysis_rxx.vexe.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Pictures\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Program Files\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Videos\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Videos\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Links\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Documents\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Music\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Music\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Searches\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Downloads\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Libraries\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Documents\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\Desktop\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Public\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini crysis_rxx.vexe.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini crysis_rxx.vexe.exe -
Drops file in Program Files directory 35186 IoCs
Processes:
crysis_rxx.vexe.exedescription ioc process File created C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\MedTile.scale-200.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.Tests.ps1 crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\PopUp\Pop_up_i.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto crysis_rxx.vexe.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxt.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dao.dll.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-30_altform-unplated.png crysis_rxx.vexe.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_18.svg.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ru_135x40.svg.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\RIPPLE.ELM.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-200.png crysis_rxx.vexe.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-tool-view.js.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_32 crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1 crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinStatusBar.v11.1.dll crysis_rxx.vexe.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Calling.m4a crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\heart.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\msvcr120.dll crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-400.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\LargeTile.scale-100.png crysis_rxx.vexe.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview-hover.svg.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4613_40x40x32.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-150.png crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\ui-strings.js crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectSmallTile.scale-200.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30.png crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\af_16x11.png crysis_rxx.vexe.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.PostalAddress.model crysis_rxx.vexe.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ExpenseReport.xltx.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\40.jpg crysis_rxx.vexe.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons_retina.png.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected].[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\ui-strings.js crysis_rxx.vexe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926306.profile.gz.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\Spider.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7989_24x24x32.png crysis_rxx.vexe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png crysis_rxx.vexe.exe -
Drops startup file 5 IoCs
Processes:
crysis_rxx.vexe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta crysis_rxx.vexe.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crysis_rxx.vexe.exe crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini crysis_rxx.vexe.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-6E3FAA6F.[[email protected]].rxx crysis_rxx.vexe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
crysis_rxx.vexe.execmd.execmd.exedescription pid process target process PID 3652 wrote to memory of 3076 3652 crysis_rxx.vexe.exe cmd.exe PID 3652 wrote to memory of 3076 3652 crysis_rxx.vexe.exe cmd.exe PID 3076 wrote to memory of 3776 3076 cmd.exe mode.com PID 3076 wrote to memory of 3776 3076 cmd.exe mode.com PID 3076 wrote to memory of 2992 3076 cmd.exe vssadmin.exe PID 3076 wrote to memory of 2992 3076 cmd.exe vssadmin.exe PID 3652 wrote to memory of 256 3652 crysis_rxx.vexe.exe cmd.exe PID 3652 wrote to memory of 256 3652 crysis_rxx.vexe.exe cmd.exe PID 256 wrote to memory of 836 256 cmd.exe mode.com PID 256 wrote to memory of 836 256 cmd.exe mode.com PID 256 wrote to memory of 1012 256 cmd.exe vssadmin.exe PID 256 wrote to memory of 1012 256 cmd.exe vssadmin.exe PID 3652 wrote to memory of 1188 3652 crysis_rxx.vexe.exe mshta.exe PID 3652 wrote to memory of 1188 3652 crysis_rxx.vexe.exe mshta.exe PID 3652 wrote to memory of 1296 3652 crysis_rxx.vexe.exe mshta.exe PID 3652 wrote to memory of 1296 3652 crysis_rxx.vexe.exe mshta.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
crysis_rxx.vexe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" crysis_rxx.vexe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" crysis_rxx.vexe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crysis_rxx.vexe.exe = "C:\\Windows\\System32\\crysis_rxx.vexe.exe" crysis_rxx.vexe.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2992 vssadmin.exe 1012 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crysis_rxx.vexe.exe"C:\Users\Admin\AppData\Local\Temp\crysis_rxx.vexe.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops startup file
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
-
memory/256-3-0x0000000000000000-mapping.dmp
-
memory/836-6-0x0000000000000000-mapping.dmp
-
memory/1012-7-0x0000000000000000-mapping.dmp
-
memory/1188-8-0x0000000000000000-mapping.dmp
-
memory/1296-9-0x0000000000000000-mapping.dmp
-
memory/2992-2-0x0000000000000000-mapping.dmp
-
memory/3076-0-0x0000000000000000-mapping.dmp
-
memory/3776-1-0x0000000000000000-mapping.dmp