809cfc5886806460a65acf74e8611daa26cc71a231d12e05ef5c13377d474947

General

Target

crypt.exe
Size

416KB
MD5

e793fdd19ba94ce44ffcafcb8439f376
SHA1

7014752978ffe24dabd02e539cb5ec59c1429639
SHA256

809cfc5886806460a65acf74e8611daa26cc71a231d12e05ef5c13377d474947
SHA512

cf4b78ee838eb99fb47d07f5ed165f84a13d44d9d61936014d63eaa8a92610ad2ee34b592ddb8d73e5e2de6fff76cc9a4d1fc09ed994dd1ebaa2314b3088fd34

Score

10^/10

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

Modify Registry

Processes:

crypt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	crypt.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	crypt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	crypt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	crypt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	crypt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	crypt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	crypt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	crypt.exe

Adds Run key to start application 2 TTPs 3 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

crypt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\7D61833952FDE88100007D6105DCED21 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crypt.exe"	crypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\7D61833952FDE88100007D6105DCED21 = "C:\\ProgramData\\7D61833952FDE88100007D6105DCED21\\7D61833952FDE88100007D6105DCED21.exe"	crypt.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	crypt.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

crypt.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" crypt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	crypt.exe

Suspicious behavior: EnumeratesProcesses 282 IoCs

Processes:

crypt.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

crypt.exe

pid process

1904 crypt.exe
1904 crypt.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

crypt.exe

pid process

1904 crypt.exe
1904 crypt.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

crypt.exe

pid process

1904 crypt.exe
1904 crypt.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

crypt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	crypt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	crypt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	crypt.exe