69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136

General

Target

aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
Size

1.9MB
MD5

063771d5573448ee6a271584a4b6a26a
SHA1

e23637ea81751e558fca17ef1a54b6e39d2e83c3
SHA256

69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
SHA512

b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf

Score

10^/10

cryptone packer ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt

Ransom Note

The network is LOCKED with PAYLOADBIN ransomware. Don't try to use other software. For decryption KEY write HERE: #1 [email protected] | #2 [email protected]

Emails

[email protected]

Signatures

CryptOne packer 4 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\SetupPlay8\Dev	cryptone
\Users\Admin\AppData\Roaming\SetupPlay8\Dev	cryptone
C:\Users\Admin\AppData\Roaming\SetupPlay8\Dev	cryptone
C:\Users\Admin\AppData\Roaming\SetupPlay8\Dev	cryptone

Executes dropped EXE 1 IoCs

Processes:

Dev

pid process

612 Dev

pid	process
612	Dev

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Dev

description	ioc	process
File renamed	C:\Users\Admin\Pictures\OptimizeUninstall.crw => C:\Users\Admin\Pictures\OptimizeUninstall.crw.PAYLOADBIN	Dev
File opened for modification	C:\Users\Admin\Pictures\OptimizeUninstall.crw.PAYLOADBIN	Dev

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1648 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe

pid process

1072 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
1072 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe

pid	process
1648	cmd.exe

pid	process
1072	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
1072	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exeDevcmd.execmd.exe

description	pid	process	target process
PID 1072 wrote to memory of 612	1072	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe	Dev
PID 1072 wrote to memory of 612	1072	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe	Dev
PID 1072 wrote to memory of 612	1072	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe	Dev
PID 612 wrote to memory of 620	612	Dev	cmd.exe
PID 612 wrote to memory of 620	612	Dev	cmd.exe
PID 612 wrote to memory of 620	612	Dev	cmd.exe
PID 1072 wrote to memory of 1648	1072	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe	cmd.exe
PID 1072 wrote to memory of 1648	1072	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe	cmd.exe
PID 1072 wrote to memory of 1648	1072	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe	cmd.exe
PID 620 wrote to memory of 776	620	cmd.exe	waitfor.exe
PID 620 wrote to memory of 776	620	cmd.exe	waitfor.exe
PID 620 wrote to memory of 776	620	cmd.exe	waitfor.exe
PID 1648 wrote to memory of 672	1648	cmd.exe	waitfor.exe
PID 1648 wrote to memory of 672	1648	cmd.exe	waitfor.exe
PID 1648 wrote to memory of 672	1648	cmd.exe	waitfor.exe

C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
"C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Roaming\SetupPlay8\Dev
C:\Users\Admin\AppData\Roaming\SetupPlay8\Dev /go
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\system32\cmd.exe
cmd /c waitfor /t 10 pause /d y & del "C:\Users\Admin\AppData\Roaming\SetupPlay8\Dev" & rd "C:\Users\Admin\AppData\Roaming\SetupPlay8\"
3⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\waitfor.exe
waitfor /t 10 pause /d y
4⤵
PID:776

C:\Windows\system32\cmd.exe
cmd /c waitfor /t 10 pause /d y & del "C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\waitfor.exe
waitfor /t 10 pause /d y
3⤵
PID:672

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SetupPlay8\Dev
MD5
063771d5573448ee6a271584a4b6a26a

SHA1
e23637ea81751e558fca17ef1a54b6e39d2e83c3

SHA256
69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136

SHA512
b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf

Download Submit
C:\Users\Admin\AppData\Roaming\SetupPlay8\Dev
MD5
063771d5573448ee6a271584a4b6a26a

SHA1
e23637ea81751e558fca17ef1a54b6e39d2e83c3

SHA256
69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136

SHA512
b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf

Download Submit
\Users\Admin\AppData\Roaming\SetupPlay8\Dev
MD5
063771d5573448ee6a271584a4b6a26a

SHA1
e23637ea81751e558fca17ef1a54b6e39d2e83c3

SHA256
69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136

SHA512
b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf

Download Submit
\Users\Admin\AppData\Roaming\SetupPlay8\Dev
MD5
063771d5573448ee6a271584a4b6a26a

SHA1
e23637ea81751e558fca17ef1a54b6e39d2e83c3

SHA256
69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136

SHA512
b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf

Download Submit
memory/612-63-0x0000000000000000-mapping.dmp

Download
memory/612-65-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/620-67-0x0000000000000000-mapping.dmp

Download
memory/672-70-0x0000000000000000-mapping.dmp

Download
memory/776-69-0x0000000000000000-mapping.dmp

Download
memory/1072-59-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1072-60-0x0000000001B20000-0x0000000001CE8000-memory.dmp

Filesize
1.8MB

Download
memory/1648-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads