Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 14:51
Static task
static1
Behavioral task
behavioral1
Sample
crypt.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
crypt.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
crypt.exe
-
Size
416KB
-
MD5
e793fdd19ba94ce44ffcafcb8439f376
-
SHA1
7014752978ffe24dabd02e539cb5ec59c1429639
-
SHA256
809cfc5886806460a65acf74e8611daa26cc71a231d12e05ef5c13377d474947
-
SHA512
cf4b78ee838eb99fb47d07f5ed165f84a13d44d9d61936014d63eaa8a92610ad2ee34b592ddb8d73e5e2de6fff76cc9a4d1fc09ed994dd1ebaa2314b3088fd34
Score
10/10
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Processes:
crypt.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" crypt.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc crypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc crypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" crypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" crypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" crypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" crypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" crypt.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
crypt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\7D61833952FDE88100007D6105DCED21 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crypt.exe" crypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\7D61833952FDE88100007D6105DCED21 = "C:\\ProgramData\\7D61833952FDE88100007D6105DCED21\\7D61833952FDE88100007D6105DCED21.exe" crypt.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce crypt.exe -
Processes:
crypt.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" crypt.exe -
Suspicious behavior: EnumeratesProcesses 282 IoCs
Processes:
crypt.exepid process 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe 1904 crypt.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
crypt.exepid process 1904 crypt.exe 1904 crypt.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
crypt.exepid process 1904 crypt.exe 1904 crypt.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
crypt.exepid process 1904 crypt.exe 1904 crypt.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
crypt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System crypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" crypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" crypt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crypt.exe"C:\Users\Admin\AppData\Local\Temp\crypt.exe"1⤵
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification