Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.msi
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
8Ransomware...KB.exe
windows10-2004-x64
10Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1697s -
max time network
1711s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral18
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Pysa_08_04_2021_500KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
RansomwareSamples/REvil_07_04_2021_121KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
RansomwareSamples/REvil_08_04_2021_121KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Ragnar_11_02_2020_40KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Ranzy_20_11_2020_138KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Ryuk_21_03_2021_274KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral30
Sample
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
RansomwareSamples/Thanos_23_03_2021_91KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral32
Sample
RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Resource
win10v2004-20220812-en
General
-
Target
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
-
Size
1.4MB
-
MD5
d87fcd8d2bf450b0056a151e9a116f72
-
SHA1
48cb6bdbe092e5a90c778114b2dda43ce3221c9f
-
SHA256
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
-
SHA512
61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b
-
SSDEEP
12288:1deyF8N4Ateo7FURIFdnHt+gifa/kf5jOcXsikHOQLWOj9:1deyF8N4Ateo7WROdnHQgmSccikHh9
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\YOUR_FILES_ARE_ENCRYPTED.HTML
Signatures
-
SunCrypt Ransomware
Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 27 1996 powershell.exe 33 1996 powershell.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CompressPing.png => C:\Users\Admin\Pictures\CompressPing.png.A5DFB3C6807125D8F018E1FB335D06BC95CD0EF89C4154A97DCB9FED70ADFA54 powershell.exe File renamed C:\Users\Admin\Pictures\FindResize.crw => C:\Users\Admin\Pictures\FindResize.crw.FDC920604791BD716EFC551493A466F51B33ECFEECFCAB86A6110F07F103B75F powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YOUR_FILES_ARE_ENCRYPTED.HTML powershell.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: powershell.exe File opened (read-only) \??\J: powershell.exe File opened (read-only) \??\K: powershell.exe File opened (read-only) \??\L: powershell.exe File opened (read-only) \??\M: powershell.exe File opened (read-only) \??\W: powershell.exe File opened (read-only) \??\O: powershell.exe File opened (read-only) \??\P: powershell.exe File opened (read-only) \??\G: powershell.exe File opened (read-only) \??\Z: powershell.exe File opened (read-only) \??\X: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\R: powershell.exe File opened (read-only) \??\T: powershell.exe File opened (read-only) \??\Y: powershell.exe File opened (read-only) \??\I: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\H: powershell.exe File opened (read-only) \??\V: powershell.exe File opened (read-only) \??\Q: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\S: powershell.exe File opened (read-only) \??\N: powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4588 powershell.exe 4588 powershell.exe 4588 powershell.exe 1996 powershell.exe 1996 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeBackupPrivilege 4292 vssvc.exe Token: SeRestorePrivilege 4292 vssvc.exe Token: SeAuditPrivilege 4292 vssvc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4588 wrote to memory of 408 4588 powershell.exe 84 PID 4588 wrote to memory of 408 4588 powershell.exe 84 PID 408 wrote to memory of 3720 408 csc.exe 85 PID 408 wrote to memory of 3720 408 csc.exe 85 PID 4588 wrote to memory of 1996 4588 powershell.exe 86 PID 4588 wrote to memory of 1996 4588 powershell.exe 86 PID 4588 wrote to memory of 1996 4588 powershell.exe 86 PID 1996 wrote to memory of 684 1996 powershell.exe 91 PID 1996 wrote to memory of 684 1996 powershell.exe 91 PID 1996 wrote to memory of 684 1996 powershell.exe 91 PID 684 wrote to memory of 5056 684 csc.exe 93 PID 684 wrote to memory of 5056 684 csc.exe 93 PID 684 wrote to memory of 5056 684 csc.exe 93
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\SunCrypt_26_01_2021_1422KB.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\stanmaao\stanmaao.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C.tmp" "c:\Users\Admin\AppData\Local\Temp\stanmaao\CSCF3E4ACB11A434B71B4B6319190A88938.TMP"3⤵PID:3720
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\SunCrypt_26_01_2021_1422KB.ps1"2⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3b2an0h0\3b2an0h0.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3846.tmp" "c:\Users\Admin\AppData\Local\Temp\3b2an0h0\CSC9868B8F9CA144AE8967DE9388464CB9A.TMP"4⤵PID:5056
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5ed300d32c4048bdafb7a6551c6f45f55
SHA1a17b38ebe17ecc15bdc031ed6df9fe236f09c045
SHA2567b32e7a1895ea4fb4853fa09854f4796f6b7f9ecf9acb6511971e14f0f6c2c66
SHA512d013bbc6eb2c99ae43433788d1fc21135aa42c0b82a324a8616b7c89ba57808125f27e5b7c6738ba803f2836124b0ab820c1d7e707cdd3bd5b8d5e2fb985de7f
-
Filesize
3KB
MD5eb02993eb865ad9672a65957af20ca6c
SHA196de706e891101d5e858f71fbe289d6e78d69f78
SHA2568ebffeeea832c43c0ef37d27a978e72eba7ea065478bb0206a211a8fa6edede0
SHA512fa5adcb7b0b1ad42920b0f42f2ab50236cbf10296ff50308bbc054269a2be17022e82b265121b23515a7ba2995515d300018cc4cf318801de9085cd8c9915d72
-
Filesize
1KB
MD5bf6ae2cc22f11fb23edabcb2ae3e0eae
SHA1f8ebf3264db270ceea0a9e8e1e90827d874b41a4
SHA256ee6b5c87bce4c2a47162a2e9421a66ae90e3ce88829db5d66dffb78d1d785ff6
SHA5127eeadeda9b8eebd2a6a658994cb686abfb4115fd475f2442ba4e336bbd76f3f7d53dcf06e78096b1849aca1723d6b96c1344cbfd8f8ff8c6f965b577d3e1d097
-
Filesize
1KB
MD521df3a82385d039d47bfcb41fa31b2f6
SHA1641b0191c12089f31f7d509eebdac1d503da15d8
SHA256c338486f7b4d45b27ebe1703f6b6649943813fee656a7128b24d013c8305dc94
SHA512ce1194a2c98adae40ad1b81557cdb50537e2db6996d1591b1e66169ed21244a99e5d4dca9fe265cc88851bce2d82c2c8bb5f47c8c810170e3af0240b0458b256
-
Filesize
3KB
MD518ce864152cb59ce1ca98d2e83f36577
SHA159996313552b82b6a515aea9648184c8bd5ff5fa
SHA256df5af065a8d834a038be012aacfb7bd681a287596725b124158f6d690ff65b2d
SHA512a1225e7422b1c97d13d5484d9c3a45cfa2d2e0166f8999a93351532ac699747242c7d676f46b6dcf6e8346d68c9b35eb7a066fccfaab635153c7db4124d40f54
-
Filesize
468B
MD5dd2cc0b4262792dc14aec5ef06de3a76
SHA167570a16a565e0f28ac7ba668f32447a73d99085
SHA256b6fb47c22e33bade63b9670bf283445980f3025566eda037b10412394e3470bd
SHA512b4ffff41ab48de3c59c132b1513fe64863d6cce5d0171b80d480a59d6614fcfb74adf3a268fc005f816dee3ff0a3844db4b666d1a2107347dd65bb50fd56eb64
-
Filesize
369B
MD5f6fe122bc2457e8dd9803ed58a641765
SHA110a5c43e3d3236ee163495cb46a42f2b5ace489d
SHA2568efa5602ab735af3deeddf832932a716a759a91a93283b5d9800d4b022c69b71
SHA5128cd1d67df64fc506781b3ff673b1740d6d34c551d387230dc0ae2812ffd4dabad34a8b8f5f5e29f01b711397111d04b98b4cadf970360150eedbb01b876dc571
-
Filesize
652B
MD582d77b3d1e31e8d2ce862bbb372195c5
SHA16338c06d619d6f8b3d1c838173142b4610b948a0
SHA2569eaca00c4d26d312afcf5805c47f266a683ea558f61b69ad4afae8e2eab18106
SHA51299c38e03b30b8861d8f0d3b124ea1e2e7025b7ec99894cf20d98ba237ead0018a93b5c22c72d169e74888eb70c00a1b45ff43f41154e2143198df569c6cc8a72
-
Filesize
652B
MD55ca7301a45112d6d7a34885a4608e338
SHA10e22a16d087e501658ac3e8ee44c256651d98202
SHA25619b1cf806d23d31cae4a92df60cf9dcce81b29d65e6ac68395648dc71732e0aa
SHA512c99a8ef7810759f6576de784dbedb74a1364ccbdac7d8a6cfa8caf253525fd8860203e7f31adbae870f3cd05a93029a5f8f0e05a9b34282e9ae34a40b526ab19
-
Filesize
468B
MD5dd2cc0b4262792dc14aec5ef06de3a76
SHA167570a16a565e0f28ac7ba668f32447a73d99085
SHA256b6fb47c22e33bade63b9670bf283445980f3025566eda037b10412394e3470bd
SHA512b4ffff41ab48de3c59c132b1513fe64863d6cce5d0171b80d480a59d6614fcfb74adf3a268fc005f816dee3ff0a3844db4b666d1a2107347dd65bb50fd56eb64
-
Filesize
369B
MD57b3d815be2b92598c12cfe68cae8ea49
SHA154861119966aa91dc86c6c7f722b71f5b0888160
SHA2565699ae091eb4ee54b814ca64e28867b919297761390e7764e4561f8b4a9d04b0
SHA512008579cff8d30bd0e0393a7f52eca3d9cf588b2931be56f242d188916a1edd41683292cce9be0cd063efd0886d66b70782491466a8a38ae7d96239c536c671a9