Analysis
-
max time kernel
129s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
Resource
win10v20210408
General
-
Target
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
-
Size
207KB
-
MD5
b961eb350e94cead67efae131b3fff4c
-
SHA1
f22185fd187244b96f96184359b4f7a7ad8542b0
-
SHA256
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea
-
SHA512
d2a1a1255f8313a1125c59218be8fecbb46604663c964477b8cd381c78381ffc0aca518f781be87d355d4d0e043dc5d773ae1bb4af2c8716b0f56f293cd4956c
Malware Config
Extracted
C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta
cryhead@mail.com
cryhead@pm.me
11100001111011111111100001111011111100
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\ResumeWait.tiff 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe -
Drops startup file 1 IoCs
Processes:
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\how_to_decrypt.hta 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDA24E22-3003A7AC = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe\" -id \"BDA24E22-3003A7AC\" -wid \"1\"" 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\530563 = "530563" 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDA24E22-3003A7AChta = "c:\\users\\admin\\appdata\\local\\temp\\how_to_decrypt.hta" 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5000 4880 WerFault.exe mshta.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1944 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exeWerFault.exepid process 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe 5000 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
vssvc.exeWMIC.exe79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exeWerFault.exedescription pid process Token: SeBackupPrivilege 2188 vssvc.exe Token: SeRestorePrivilege 2188 vssvc.exe Token: SeAuditPrivilege 2188 vssvc.exe Token: SeIncreaseQuotaPrivilege 2160 WMIC.exe Token: SeSecurityPrivilege 2160 WMIC.exe Token: SeTakeOwnershipPrivilege 2160 WMIC.exe Token: SeLoadDriverPrivilege 2160 WMIC.exe Token: SeSystemProfilePrivilege 2160 WMIC.exe Token: SeSystemtimePrivilege 2160 WMIC.exe Token: SeProfSingleProcessPrivilege 2160 WMIC.exe Token: SeIncBasePriorityPrivilege 2160 WMIC.exe Token: SeCreatePagefilePrivilege 2160 WMIC.exe Token: SeBackupPrivilege 2160 WMIC.exe Token: SeRestorePrivilege 2160 WMIC.exe Token: SeShutdownPrivilege 2160 WMIC.exe Token: SeDebugPrivilege 2160 WMIC.exe Token: SeSystemEnvironmentPrivilege 2160 WMIC.exe Token: SeRemoteShutdownPrivilege 2160 WMIC.exe Token: SeUndockPrivilege 2160 WMIC.exe Token: SeManageVolumePrivilege 2160 WMIC.exe Token: 33 2160 WMIC.exe Token: 34 2160 WMIC.exe Token: 35 2160 WMIC.exe Token: 36 2160 WMIC.exe Token: SeIncreaseQuotaPrivilege 2160 WMIC.exe Token: SeSecurityPrivilege 2160 WMIC.exe Token: SeTakeOwnershipPrivilege 2160 WMIC.exe Token: SeLoadDriverPrivilege 2160 WMIC.exe Token: SeSystemProfilePrivilege 2160 WMIC.exe Token: SeSystemtimePrivilege 2160 WMIC.exe Token: SeProfSingleProcessPrivilege 2160 WMIC.exe Token: SeIncBasePriorityPrivilege 2160 WMIC.exe Token: SeCreatePagefilePrivilege 2160 WMIC.exe Token: SeBackupPrivilege 2160 WMIC.exe Token: SeRestorePrivilege 2160 WMIC.exe Token: SeShutdownPrivilege 2160 WMIC.exe Token: SeDebugPrivilege 2160 WMIC.exe Token: SeSystemEnvironmentPrivilege 2160 WMIC.exe Token: SeRemoteShutdownPrivilege 2160 WMIC.exe Token: SeUndockPrivilege 2160 WMIC.exe Token: SeManageVolumePrivilege 2160 WMIC.exe Token: 33 2160 WMIC.exe Token: 34 2160 WMIC.exe Token: 35 2160 WMIC.exe Token: 36 2160 WMIC.exe Token: SeDebugPrivilege 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe Token: SeRestorePrivilege 5000 WerFault.exe Token: SeBackupPrivilege 5000 WerFault.exe Token: SeDebugPrivilege 5000 WerFault.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.execmd.execmd.exedescription pid process target process PID 904 wrote to memory of 3368 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 3368 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 3368 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 3252 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 3252 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 3252 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 420 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 420 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 420 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 208 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 208 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 208 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 3368 wrote to memory of 1944 3368 cmd.exe vssadmin.exe PID 3368 wrote to memory of 1944 3368 cmd.exe vssadmin.exe PID 3368 wrote to memory of 1944 3368 cmd.exe vssadmin.exe PID 904 wrote to memory of 2984 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 2984 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 2984 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 3596 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 3596 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 904 wrote to memory of 3596 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 208 wrote to memory of 2160 208 cmd.exe WMIC.exe PID 208 wrote to memory of 2160 208 cmd.exe WMIC.exe PID 208 wrote to memory of 2160 208 cmd.exe WMIC.exe PID 904 wrote to memory of 4880 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe mshta.exe PID 904 wrote to memory of 4880 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe mshta.exe PID 904 wrote to memory of 4880 904 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe"C:\Users\Admin\AppData\Local\Temp\79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 16563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\appdata\local\temp\how_to_decrypt.htaMD5
30c732abd23b3836c5ca32f6aab24a04
SHA12e1abc77b7f91ffe18f69402bfcf8200d33cc929
SHA256d33c694f307e8a60fd1edc66752fe0c6d3b1dfe6c86c294bc0c002fc38a62112
SHA5125d93d520da265c68d61b5826f8ce841b30b00f15d250e8745a41dd785edaf96e7aab77b61deb1b57190795bba382a1d931be6dd9f67f445c635f1e0c44a48e1f
-
memory/208-117-0x0000000000000000-mapping.dmp
-
memory/420-116-0x0000000000000000-mapping.dmp
-
memory/1944-118-0x0000000000000000-mapping.dmp
-
memory/2160-121-0x0000000000000000-mapping.dmp
-
memory/2984-119-0x0000000000000000-mapping.dmp
-
memory/3252-115-0x0000000000000000-mapping.dmp
-
memory/3368-114-0x0000000000000000-mapping.dmp
-
memory/3596-120-0x0000000000000000-mapping.dmp
-
memory/4880-122-0x0000000000000000-mapping.dmp