crypvault | 3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566 | Triage

Submit
Reports

Overview

overview

Static

static

5

3ddf1da783...66.exe

windows7_x64

3ddf1da783...66.exe

windows10-2004_x64

8

Sharing

General

Target

3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566
Size

1.1MB
Sample

220701-rgp3rahbc2
MD5

67602186447c604718f329e4a75efa30
SHA1

da92fac48b831c782fe13704c444518dfab9f43f
SHA256

3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566
SHA512

99bc50931bfd4bedacdef49ed52d3270327d6314e661bafeac4c7099f4a95f1c1c555726769898876fafe0fa1c3303797b1a09604bead0795f297c75ff372590

Score

10^/10

crypvault persistence ransomware

Static task

static1

Behavioral task

behavioral1

Sample

3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe

Resource

win7-20220414-en

crypvault persistence ransomware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566
- Size
  
  1.1MB
- MD5
  
  67602186447c604718f329e4a75efa30
- SHA1
  
  da92fac48b831c782fe13704c444518dfab9f43f
- SHA256
  
  3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566
- SHA512
  
  99bc50931bfd4bedacdef49ed52d3270327d6314e661bafeac4c7099f4a95f1c1c555726769898876fafe0fa1c3303797b1a09604bead0795f297c75ff372590
Score

10^/10

crypvault persistence ransomware
- CrypVault
  Ransomware family which makes encrypted files look like they have been quarantined by AV.
  ransomware crypvault
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Scripting

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

crypvaultpersistenceransomware

behavioral2

© 2018-2024

Terms | Privacy