69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136

General

Target

aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
Size

1.9MB
MD5

063771d5573448ee6a271584a4b6a26a
SHA1

e23637ea81751e558fca17ef1a54b6e39d2e83c3
SHA256

69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
SHA512

b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf

Score

10^/10

cryptone packer ransomware

Malware Config

Extracted

Path

C:\PAYLOADBIN-README.txt

Ransom Note

The network is LOCKED with PAYLOADBIN ransomware. Don't try to use other software. For decryption KEY write HERE: #1 [email protected] | #2 [email protected]

Emails

[email protected]

Signatures

CryptOne packer 2 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WispWimmount\Auth	cryptone
C:\Users\Admin\AppData\Roaming\WispWimmount\Auth	cryptone

Executes dropped EXE 1 IoCs

Processes:

Auth

pid process

692 Auth

pid	process
692	Auth

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Auth

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UpdateComplete.png => C:\Users\Admin\Pictures\UpdateComplete.png.PAYLOADBIN	Auth
File renamed	C:\Users\Admin\Pictures\WaitBackup.tif => C:\Users\Admin\Pictures\WaitBackup.tif.PAYLOADBIN	Auth
File opened for modification	C:\Users\Admin\Pictures\WaitBackup.tif.PAYLOADBIN	Auth
File renamed	C:\Users\Admin\Pictures\ResolveHide.tiff => C:\Users\Admin\Pictures\ResolveHide.tiff.PAYLOADBIN	Auth
File opened for modification	C:\Users\Admin\Pictures\ResolveHide.tiff.PAYLOADBIN	Auth
File renamed	C:\Users\Admin\Pictures\StartUninstall.tif => C:\Users\Admin\Pictures\StartUninstall.tif.PAYLOADBIN	Auth
File opened for modification	C:\Users\Admin\Pictures\StartUninstall.tif.PAYLOADBIN	Auth
File renamed	C:\Users\Admin\Pictures\TraceExport.tif => C:\Users\Admin\Pictures\TraceExport.tif.PAYLOADBIN	Auth
File opened for modification	C:\Users\Admin\Pictures\TraceExport.tif.PAYLOADBIN	Auth
File opened for modification	C:\Users\Admin\Pictures\UpdateComplete.png.PAYLOADBIN	Auth

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exeAuthcmd.execmd.exe

description	pid	process	target process
PID 3424 wrote to memory of 692	3424	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe	Auth
PID 3424 wrote to memory of 692	3424	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe	Auth
PID 692 wrote to memory of 3820	692	Auth	cmd.exe
PID 692 wrote to memory of 3820	692	Auth	cmd.exe
PID 3424 wrote to memory of 1348	3424	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe	cmd.exe
PID 3424 wrote to memory of 1348	3424	aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe	cmd.exe
PID 3820 wrote to memory of 3120	3820	cmd.exe	waitfor.exe
PID 3820 wrote to memory of 3120	3820	cmd.exe	waitfor.exe
PID 1348 wrote to memory of 3104	1348	cmd.exe	waitfor.exe
PID 1348 wrote to memory of 3104	1348	cmd.exe	waitfor.exe

C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
"C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Roaming\WispWimmount\Auth
C:\Users\Admin\AppData\Roaming\WispWimmount\Auth /go
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SYSTEM32\cmd.exe
cmd /c waitfor /t 10 pause /d y & del "C:\Users\Admin\AppData\Roaming\WispWimmount\Auth" & rd "C:\Users\Admin\AppData\Roaming\WispWimmount\"
3⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\system32\waitfor.exe
waitfor /t 10 pause /d y
4⤵
PID:3120

C:\Windows\SYSTEM32\cmd.exe
cmd /c waitfor /t 10 pause /d y & del "C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\system32\waitfor.exe
waitfor /t 10 pause /d y
3⤵
PID:3104

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WispWimmount\Auth
MD5
063771d5573448ee6a271584a4b6a26a

SHA1
e23637ea81751e558fca17ef1a54b6e39d2e83c3

SHA256
69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136

SHA512
b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf

Download Submit
C:\Users\Admin\AppData\Roaming\WispWimmount\Auth
MD5
063771d5573448ee6a271584a4b6a26a

SHA1
e23637ea81751e558fca17ef1a54b6e39d2e83c3

SHA256
69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136

SHA512
b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf

Download Submit
memory/692-116-0x0000000000000000-mapping.dmp

Download
memory/692-119-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1348-122-0x0000000000000000-mapping.dmp

Download
memory/3104-124-0x0000000000000000-mapping.dmp

Download
memory/3120-123-0x0000000000000000-mapping.dmp

Download
memory/3424-114-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3424-115-0x0000000001F10000-0x00000000020D8000-memory.dmp

Filesize
1.8MB

Download
memory/3820-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads