Analysis
-
max time kernel
198s -
max time network
269s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 07:50
Static task
static1
Behavioral task
behavioral1
Sample
Crapsomware.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Crapsomware.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
General
-
Target
Crapsomware.exe
-
Size
32KB
-
MD5
b5121d2276fed40d5ae45b36990b5ded
-
SHA1
aae3356c01621dd3d732f6ee0eff98cff4d1cd07
-
SHA256
448cef90795a2483b7ee9c4e552ab884ca6f62f7275b2411e654043f772c47c7
-
SHA512
d711647112c5ac64b4cc4697575d511d8aa68ddc732ad33a5f23ffdb2a72f1f51fb7017fa2d3f8d47892af0caae1d6965f46f76592413a32c408ba1485d6291f
Score
8/10
Malware Config
Signatures
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Crapsomware.exedescription ioc process File created C:\Users\Admin\Pictures\FormatSend.tif.crap Crapsomware.exe File created C:\Users\Admin\Pictures\ReadUnregister.crw.crap Crapsomware.exe File created C:\Users\Admin\Pictures\ApproveResume.tif.crap Crapsomware.exe File created C:\Users\Admin\Pictures\CheckpointPop.tif.crap Crapsomware.exe File created C:\Users\Admin\Pictures\CheckpointSend.raw.crap Crapsomware.exe File created C:\Users\Admin\Pictures\DebugCompare.raw.crap Crapsomware.exe -
Drops desktop.ini file(s) 6 IoCs
Processes:
Crapsomware.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini Crapsomware.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini Crapsomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Crapsomware.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Crapsomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini Crapsomware.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini Crapsomware.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Crapsomware.exedescription pid process Token: SeDebugPrivilege 4700 Crapsomware.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crapsomware.exe"C:\Users\Admin\AppData\Local\Temp\Crapsomware.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4700-115-0x0000000000620000-0x0000000000621000-memory.dmpFilesize
4KB
-
memory/4700-117-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/4700-118-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/4700-119-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/4700-120-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/4700-121-0x0000000004F33000-0x0000000004F35000-memory.dmpFilesize
8KB