448cef90795a2483b7ee9c4e552ab884ca6f62f7275b2411e654043f772c47c7

Analysis

Target

Crapsomware.exe
Size

32KB
MD5

b5121d2276fed40d5ae45b36990b5ded
SHA1

aae3356c01621dd3d732f6ee0eff98cff4d1cd07
SHA256

448cef90795a2483b7ee9c4e552ab884ca6f62f7275b2411e654043f772c47c7
SHA512

d711647112c5ac64b4cc4697575d511d8aa68ddc732ad33a5f23ffdb2a72f1f51fb7017fa2d3f8d47892af0caae1d6965f46f76592413a32c408ba1485d6291f

Score

8^/10

ransomware

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

Processes:

Crapsomware.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\FormatSend.tif.crap	Crapsomware.exe
File created	C:\Users\Admin\Pictures\ReadUnregister.crw.crap	Crapsomware.exe
File created	C:\Users\Admin\Pictures\ApproveResume.tif.crap	Crapsomware.exe
File created	C:\Users\Admin\Pictures\CheckpointPop.tif.crap	Crapsomware.exe
File created	C:\Users\Admin\Pictures\CheckpointSend.raw.crap	Crapsomware.exe
File created	C:\Users\Admin\Pictures\DebugCompare.raw.crap	Crapsomware.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

Crapsomware.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	Crapsomware.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	Crapsomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Crapsomware.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Crapsomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Crapsomware.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Crapsomware.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Crapsomware.exe

description pid process

Token: SeDebugPrivilege 4700 Crapsomware.exe

description	pid	process
Token: SeDebugPrivilege	4700	Crapsomware.exe

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4928

memory/4700-115-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4700-117-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/4700-118-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/4700-119-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/4700-120-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4700-121-0x0000000004F33000-0x0000000004F35000-memory.dmp

Filesize
8KB

Download