Overview

overview

10

Static

static

WinCrypto ...re.exe

windows7_x64

10

WinCrypto ...re.exe

windows10_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13/12/2021, 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WinCrypto Ransomware.exe

  • Size

    4.4MB

  • MD5

    27786f44811d4832d01246e529b94320

  • SHA1

    b31bd516fe0ca01cd139739867ae2c60054dc328

  • SHA256

    5c396be42657aecabd75f8be6ac9b3af96fa1243a4a50214b3543617f39d6c5b

  • SHA512

    1904e09f2a963b725493bb11b9b18f43ffb9e132114bdcd3f05816ee80d50fcca181482bced3fafd739c425b09e6864bec93bbc4ea1365da7ffdb1dc81734dea

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README WINCRYPTO.txt

Ransom Note
WINCRYPTO RANSOMWARE YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAS BEEN ENCRYPTED! THE ONLY WAY TO DECRYPT YOUR FILES IS TO RECEIVE THE PRIVATE KEY AND DECRYPTION SOFTWARE. TO RECEIVE THE PRIVATE KEY AND DECRYPTION SOFTWARE GO TO ANY DECRYPTED FOLDER - INSIDE THERE IS THE SPECIAL FILE 'README WINCRYPTO.TXT' WITH COMPLETE INSTRUCTIONS HOW TO DECRYPT YOUR FILES. IF YOU CANNOT FIND ANY 'README WINCRYPTO.TXT' FILE AT YOUR PC. FOLLOW THE INSTRUCTIONS BELOW. 1. DOWNLOAD 'TOR BROWSER' FROM 'HTTPS://TORPROJECT.ORG' AND INSTALL IT. 2. IN THE 'TOR BROWSER' OPEN YOUR PERSONAL PAGE HERE. HTTPS://WINCRYPTO23XA93KU9234XN.ONION/7U2D-23MA-0M8C-M2AS NOTE! THIS PAGE IS AVAILABLE VIA 'TOR BROWSER' ONLY. FILE RECOVERY IS IMPOSSIBLE WHEN ANTI-VIRUS IS ACTIVATED AND THIS SOFTWARE IS TERMINATED!

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WinCrypto Ransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\WinCrypto Ransomware.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:760
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1208
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README WINCRYPTO.txt
      1⤵
        PID:1804

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/760-54-0x0000000000380000-0x0000000000381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/760-56-0x0000000000C00000-0x0000000000C36000-memory.dmp

        Filesize

        216KB

        Download

      • memory/760-57-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/760-58-0x0000000004FA5000-0x0000000004FB6000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1208-59-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

        Filesize

        8KB

        Download