Overview

overview

10

Static

static

WinCrypto ...re.exe

windows7_x64

10

WinCrypto ...re.exe

windows10_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-12-2021 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WinCrypto Ransomware.exe

  • Size

    4.4MB

  • MD5

    27786f44811d4832d01246e529b94320

  • SHA1

    b31bd516fe0ca01cd139739867ae2c60054dc328

  • SHA256

    5c396be42657aecabd75f8be6ac9b3af96fa1243a4a50214b3543617f39d6c5b

  • SHA512

    1904e09f2a963b725493bb11b9b18f43ffb9e132114bdcd3f05816ee80d50fcca181482bced3fafd739c425b09e6864bec93bbc4ea1365da7ffdb1dc81734dea

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README WINCRYPTO.txt

Ransom Note
WINCRYPTO RANSOMWARE YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAS BEEN ENCRYPTED! THE ONLY WAY TO DECRYPT YOUR FILES IS TO RECEIVE THE PRIVATE KEY AND DECRYPTION SOFTWARE. TO RECEIVE THE PRIVATE KEY AND DECRYPTION SOFTWARE GO TO ANY DECRYPTED FOLDER - INSIDE THERE IS THE SPECIAL FILE 'README WINCRYPTO.TXT' WITH COMPLETE INSTRUCTIONS HOW TO DECRYPT YOUR FILES. IF YOU CANNOT FIND ANY 'README WINCRYPTO.TXT' FILE AT YOUR PC. FOLLOW THE INSTRUCTIONS BELOW. 1. DOWNLOAD 'TOR BROWSER' FROM 'HTTPS://TORPROJECT.ORG' AND INSTALL IT. 2. IN THE 'TOR BROWSER' OPEN YOUR PERSONAL PAGE HERE. HTTPS://WINCRYPTO23XA93KU9234XN.ONION/7U2D-23MA-0M8C-M2AS NOTE! THIS PAGE IS AVAILABLE VIA 'TOR BROWSER' ONLY. FILE RECOVERY IS IMPOSSIBLE WHEN ANTI-VIRUS IS ACTIVATED AND THIS SOFTWARE IS TERMINATED!

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WinCrypto Ransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\WinCrypto Ransomware.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:760
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1208
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README WINCRYPTO.txt
      1⤵
        PID:1804

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\README WINCRYPTO.txt
        MD5

        ce428ffea12027325e2e625d6b3640e0

        SHA1

        fc86cf1db00d03002f4a4e3adddee4a545817092

        SHA256

        98e77b44361b33bc2d45b19762acabcc1f3ae0b534ace69017327eae91bf08a7

        SHA512

        bfe419ab68e92893f211f778de34c06ded97d30283c56c15f69a82bb5c37d1b0e4168ad37bd5cbb5a537d3c19812292ce9998230b9d27fddac382cfa63f0963f

        Download Submit
      • memory/760-54-0x0000000000380000-0x0000000000381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/760-56-0x0000000000C00000-0x0000000000C36000-memory.dmp
        Filesize

        216KB

        Download
      • memory/760-57-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/760-58-0x0000000004FA5000-0x0000000004FB6000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1208-59-0x000007FEFB711000-0x000007FEFB713000-memory.dmp
        Filesize

        8KB

        Download