suncrypt | 63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806

Analysis

max time kernel
43s
max time network
51s
platform
windows7_x64
resource
win7
submitted
07-10-2020 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SunCrypt.ps1
Size

1.6MB
MD5

c171bcd34151cbcd48edbce13796e0ed
SHA1

2770fec86275dfb1a4a05e2d56bc27a089197666
SHA256

63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806
SHA512

d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da

Score

10^/10

ransomware suncrypt persistence spyware

Malware Config

Signatures

SunCrypt Ransomware
Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.
ransomware suncrypt

Blacklisted process makes network request 2 IoCs

flow	pid	Process
5	1972	powershell.exe
6	1972	powershell.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SendSwitch.tiff => C:\Users\Admin\Pictures\SendSwitch.tiff.253826A21D056461F397E5D8950631B809E30F40E15E2575D8DD5928D0436542	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\WriteConvert.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\WriteConvert.tiff => C:\Users\Admin\Pictures\WriteConvert.tiff.7869AA5F1F3BCE7859B31F781C297AAAD1D1A7545F9370CF75547BA740947F67	powershell.exe
File renamed	C:\Users\Admin\Pictures\DebugApprove.png => C:\Users\Admin\Pictures\DebugApprove.png.D8A89553536EA3479452415C23BE7365C9BC294FA9CAAF20F8C6A4549D09D414	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\SendSwitch.tiff	powershell.exe
File renamed	C:\Users\Admin\Pictures\MoveInitialize.png => C:\Users\Admin\Pictures\MoveInitialize.png.D972CBBA45A9B111EB0C77C7AF323C23A52875D3F5DA28A1F5A214877C558160	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YOUR_FILES_ARE_ENCRYPTED.HTML	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	powershell.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AJM03J3Y\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TGVUK4BG\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	powershell.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	powershell.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	powershell.exe
File opened (read-only)	\??\G:	powershell.exe
File opened (read-only)	\??\H:	powershell.exe
File opened (read-only)	\??\N:	powershell.exe
File opened (read-only)	\??\R:	powershell.exe
File opened (read-only)	\??\Y:	powershell.exe
File opened (read-only)	\??\U:	powershell.exe
File opened (read-only)	\??\S:	powershell.exe
File opened (read-only)	\??\K:	powershell.exe
File opened (read-only)	\??\Z:	powershell.exe
File opened (read-only)	\??\J:	powershell.exe
File opened (read-only)	\??\B:	powershell.exe
File opened (read-only)	\??\Q:	powershell.exe
File opened (read-only)	\??\W:	powershell.exe
File opened (read-only)	\??\T:	powershell.exe
File opened (read-only)	\??\P:	powershell.exe
File opened (read-only)	\??\A:	powershell.exe
File opened (read-only)	\??\F:	powershell.exe
File opened (read-only)	\??\M:	powershell.exe
File opened (read-only)	\??\I:	powershell.exe
File opened (read-only)	\??\O:	powershell.exe
File opened (read-only)	\??\L:	powershell.exe
File opened (read-only)	\??\X:	powershell.exe
File opened (read-only)	\??\V:	powershell.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1124	powershell.exe
1124	powershell.exe
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1200	vssvc.exe
Token: SeRestorePrivilege	1200	vssvc.exe
Token: SeAuditPrivilege	1200	vssvc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1888	1124	powershell.exe	29
PID 1124 wrote to memory of 1888	1124	powershell.exe	29
PID 1124 wrote to memory of 1888	1124	powershell.exe	29
PID 1888 wrote to memory of 1892	1888	csc.exe	30
PID 1888 wrote to memory of 1892	1888	csc.exe	30
PID 1888 wrote to memory of 1892	1888	csc.exe	30
PID 1124 wrote to memory of 1972	1124	powershell.exe	31
PID 1124 wrote to memory of 1972	1124	powershell.exe	31
PID 1124 wrote to memory of 1972	1124	powershell.exe	31
PID 1124 wrote to memory of 1972	1124	powershell.exe	31
PID 1972 wrote to memory of 688	1972	powershell.exe	33
PID 1972 wrote to memory of 688	1972	powershell.exe	33
PID 1972 wrote to memory of 688	1972	powershell.exe	33
PID 1972 wrote to memory of 688	1972	powershell.exe	33
PID 688 wrote to memory of 948	688	csc.exe	34
PID 688 wrote to memory of 948	688	csc.exe	34
PID 688 wrote to memory of 948	688	csc.exe	34
PID 688 wrote to memory of 948	688	csc.exe	34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\SunCrypt.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1m4xmgcn\1m4xmgcn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162F.tmp" "c:\Users\Admin\AppData\Local\Temp\1m4xmgcn\CSCB5AEF1FCB01941A99B51926FC9B7A76.TMP"
    3⤵
    PID:1892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\SunCrypt.ps1"
  2⤵
  - Blacklisted process makes network request
  - Modifies extensions of user files
  - Drops startup file
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lbvcw2qv\lbvcw2qv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3302.tmp" "c:\Users\Admin\AppData\Local\Temp\lbvcw2qv\CSCD158FD3B6D33450887D3EC338B93EB74.TMP"
      4⤵
      PID:948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-53-0x000007FEF7E00000-0x000007FEF807A000-memory.dmp

Filesize
2.5MB

Download
memory/1124-3-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/1124-2-0x000000001AC30000-0x000000001AC31000-memory.dmp

Filesize
4KB

Download
memory/1124-13-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1124-4-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/1124-5-0x000000001B6E0000-0x000000001B6E1000-memory.dmp

Filesize
4KB

Download
memory/1124-1-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1124-0-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download
memory/1972-33-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/1972-40-0x0000000006460000-0x0000000006461000-memory.dmp

Filesize
4KB

Download
memory/1972-41-0x0000000006590000-0x0000000006591000-memory.dmp

Filesize
4KB

Download
memory/1972-32-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1972-27-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/1972-19-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1972-18-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1972-17-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1972-16-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1972-15-0x0000000073440000-0x0000000073B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-51-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/1972-54-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download