Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1697s -
max time network
1711s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
13-09-2022 17:54
General
-
Target
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
-
Size
1.4MB
-
MD5
d87fcd8d2bf450b0056a151e9a116f72
-
SHA1
48cb6bdbe092e5a90c778114b2dda43ce3221c9f
-
SHA256
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
-
SHA512
61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b
-
SSDEEP
12288:1deyF8N4Ateo7FURIFdnHt+gifa/kf5jOcXsikHOQLWOj9:1deyF8N4Ateo7WROdnHQgmSccikHh9
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\YOUR_FILES_ARE_ENCRYPTED.HTML
Signatures
-
SunCrypt Ransomware
Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.
-
Blocklisted process makes network request 2 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\SunCrypt_26_01_2021_1422KB.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\stanmaao\stanmaao.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C.tmp" "c:\Users\Admin\AppData\Local\Temp\stanmaao\CSCF3E4ACB11A434B71B4B6319190A88938.TMP"3⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\SunCrypt_26_01_2021_1422KB.ps1"2⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3b2an0h0\3b2an0h0.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3846.tmp" "c:\Users\Admin\AppData\Local\Temp\3b2an0h0\CSC9868B8F9CA144AE8967DE9388464CB9A.TMP"4⤵
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5ed300d32c4048bdafb7a6551c6f45f55
SHA1a17b38ebe17ecc15bdc031ed6df9fe236f09c045
SHA2567b32e7a1895ea4fb4853fa09854f4796f6b7f9ecf9acb6511971e14f0f6c2c66
SHA512d013bbc6eb2c99ae43433788d1fc21135aa42c0b82a324a8616b7c89ba57808125f27e5b7c6738ba803f2836124b0ab820c1d7e707cdd3bd5b8d5e2fb985de7f
-
Filesize
3KB
MD5eb02993eb865ad9672a65957af20ca6c
SHA196de706e891101d5e858f71fbe289d6e78d69f78
SHA2568ebffeeea832c43c0ef37d27a978e72eba7ea065478bb0206a211a8fa6edede0
SHA512fa5adcb7b0b1ad42920b0f42f2ab50236cbf10296ff50308bbc054269a2be17022e82b265121b23515a7ba2995515d300018cc4cf318801de9085cd8c9915d72
-
Filesize
1KB
MD5bf6ae2cc22f11fb23edabcb2ae3e0eae
SHA1f8ebf3264db270ceea0a9e8e1e90827d874b41a4
SHA256ee6b5c87bce4c2a47162a2e9421a66ae90e3ce88829db5d66dffb78d1d785ff6
SHA5127eeadeda9b8eebd2a6a658994cb686abfb4115fd475f2442ba4e336bbd76f3f7d53dcf06e78096b1849aca1723d6b96c1344cbfd8f8ff8c6f965b577d3e1d097
-
Filesize
1KB
MD521df3a82385d039d47bfcb41fa31b2f6
SHA1641b0191c12089f31f7d509eebdac1d503da15d8
SHA256c338486f7b4d45b27ebe1703f6b6649943813fee656a7128b24d013c8305dc94
SHA512ce1194a2c98adae40ad1b81557cdb50537e2db6996d1591b1e66169ed21244a99e5d4dca9fe265cc88851bce2d82c2c8bb5f47c8c810170e3af0240b0458b256
-
Filesize
3KB
MD518ce864152cb59ce1ca98d2e83f36577
SHA159996313552b82b6a515aea9648184c8bd5ff5fa
SHA256df5af065a8d834a038be012aacfb7bd681a287596725b124158f6d690ff65b2d
SHA512a1225e7422b1c97d13d5484d9c3a45cfa2d2e0166f8999a93351532ac699747242c7d676f46b6dcf6e8346d68c9b35eb7a066fccfaab635153c7db4124d40f54
-
Filesize
468B
MD5dd2cc0b4262792dc14aec5ef06de3a76
SHA167570a16a565e0f28ac7ba668f32447a73d99085
SHA256b6fb47c22e33bade63b9670bf283445980f3025566eda037b10412394e3470bd
SHA512b4ffff41ab48de3c59c132b1513fe64863d6cce5d0171b80d480a59d6614fcfb74adf3a268fc005f816dee3ff0a3844db4b666d1a2107347dd65bb50fd56eb64
-
Filesize
369B
MD5f6fe122bc2457e8dd9803ed58a641765
SHA110a5c43e3d3236ee163495cb46a42f2b5ace489d
SHA2568efa5602ab735af3deeddf832932a716a759a91a93283b5d9800d4b022c69b71
SHA5128cd1d67df64fc506781b3ff673b1740d6d34c551d387230dc0ae2812ffd4dabad34a8b8f5f5e29f01b711397111d04b98b4cadf970360150eedbb01b876dc571
-
Filesize
652B
MD582d77b3d1e31e8d2ce862bbb372195c5
SHA16338c06d619d6f8b3d1c838173142b4610b948a0
SHA2569eaca00c4d26d312afcf5805c47f266a683ea558f61b69ad4afae8e2eab18106
SHA51299c38e03b30b8861d8f0d3b124ea1e2e7025b7ec99894cf20d98ba237ead0018a93b5c22c72d169e74888eb70c00a1b45ff43f41154e2143198df569c6cc8a72
-
Filesize
652B
MD55ca7301a45112d6d7a34885a4608e338
SHA10e22a16d087e501658ac3e8ee44c256651d98202
SHA25619b1cf806d23d31cae4a92df60cf9dcce81b29d65e6ac68395648dc71732e0aa
SHA512c99a8ef7810759f6576de784dbedb74a1364ccbdac7d8a6cfa8caf253525fd8860203e7f31adbae870f3cd05a93029a5f8f0e05a9b34282e9ae34a40b526ab19
-
Filesize
468B
MD5dd2cc0b4262792dc14aec5ef06de3a76
SHA167570a16a565e0f28ac7ba668f32447a73d99085
SHA256b6fb47c22e33bade63b9670bf283445980f3025566eda037b10412394e3470bd
SHA512b4ffff41ab48de3c59c132b1513fe64863d6cce5d0171b80d480a59d6614fcfb74adf3a268fc005f816dee3ff0a3844db4b666d1a2107347dd65bb50fd56eb64
-
Filesize
369B
MD57b3d815be2b92598c12cfe68cae8ea49
SHA154861119966aa91dc86c6c7f722b71f5b0888160
SHA2565699ae091eb4ee54b814ca64e28867b919297761390e7764e4561f8b4a9d04b0
SHA512008579cff8d30bd0e0393a7f52eca3d9cf588b2931be56f242d188916a1edd41683292cce9be0cd063efd0886d66b70782491466a8a38ae7d96239c536c671a9
-
-
-
Filesize
6.5MB
-
Filesize
216KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
6.2MB
-
-
Filesize
408KB
-
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-