Analysis Overview
SHA256
83ffbe63dd41a1a9d2d68fb1b72f6dffcf8e76ecefb8683ee47f6651f58b20a1
Threat Level: Known bad
The file windows_x64_encrypt.exe was found to be: Known bad.
Malicious Activity Summary
Hive
Modifies extensions of user files
Reads user/profile data of web browsers
Enumerates connected drives
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-01 16:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-01 16:41
Reported
2022-06-01 16:57
Platform
win7-20220414-en
Max time kernel
130s
Max time network
40s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe
C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe -u test:test
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
memory/1896-54-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp
memory/1292-56-0x0000000140000000-0x00000001405E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-01 16:41
Reported
2022-06-01 16:57
Platform
win10v2004-20220414-en
Max time kernel
120s
Max time network
131s
Command Line
Signatures
Hive
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\SendGroup.crw.LVxrXDxy_17zlmuHVYhp | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AddConvertTo.tiff => C:\Users\Admin\Pictures\AddConvertTo.tiff.LVxrXDxy_1TutkBALR3e | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\AddConvertTo.tiff.LVxrXDxy_1TutkBALR3e | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResizeUse.crw => C:\Users\Admin\Pictures\ResizeUse.crw.LVxrXDxy_3bbvmRk1b15 | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResizeUse.crw.LVxrXDxy_3bbvmRk1b15 | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SaveLimit.tif => C:\Users\Admin\Pictures\SaveLimit.tif.LVxrXDxy_0_7lmskzGue | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SaveLimit.tif.LVxrXDxy_0_7lmskzGue | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SendGroup.crw => C:\Users\Admin\Pictures\SendGroup.crw.LVxrXDxy_17zlmuHVYhp | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe
C:\Users\Admin\AppData\Local\Temp\windows_x64_encrypt.exe -u test:test
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 1732 -ip 1732
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1732 -s 744
Network
| Country | Destination | Domain | Proto |
| US | 8.238.111.126:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| US | 52.168.117.170:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| BE | 67.27.153.254:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.238.111.126:80 | tcp | |
| US | 8.238.111.126:80 | tcp |