16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20

General

Target

16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
Size

48KB
MD5

4f6173eb23deaff1670b1b2f0f6882fe
SHA1

8b0aa4a785803ebcd71fa71dfe5b3671c1ab6c13
SHA256

16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20
SHA512

192bf3985320e342d6808b5581f2dbcdfaafe57ebd6c08e067b1609568790432f03f7af123e3f7ddeafe94ad2ede11ab295fbc28c9111caf50f66af597e66735
SSDEEP

768:AUAXzPLCUW6R/bUHUWSLa/SET7Q74guCNP:YC16lYHMa7TU3xP

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RedKrypt-Notes-README.txt

Ransom Note

ALL YOUR FILES HAVE BEEN ENCRYPTED BY THE REDKRYPT RANSOMWARE Why me? RedKrypt doesn't choose victims. Victims choose RedKrypt. How I can recovery my files? You cannot use third party software for decrypt your files: you can use only the official RedKrypt Decryption Tool. Follow this istructions: 1) Copy your decryption ID 2) Write to rexplo8sdh1ba6ta18lacue8v9@gmail.com and send your decryption id 3) We'll reply with our conditions, and the decryption tool will be sent to you. YOUR REDKRYPT CLIENT-ID: BC40DA2B078BFBFF000306D2

Emails

rexplo8sdh1ba6ta18lacue8v9@gmail.com

Signatures

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BlockClose.png => C:\Users\Admin\Pictures\BlockClose.png.p.redkrypt	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File renamed	C:\Users\Admin\Pictures\ResolveSync.crw => C:\Users\Admin\Pictures\ResolveSync.crw.p.redkrypt	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe

Drops startup file 1 IoCs

Processes:

16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 40 IoCs

Processes:

16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UN1Y26T5\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MRSZ10R1\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UFPRKV05\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFGR6881\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\WZHASH05\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\COPX4L9J\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z0VF2WDD\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C2EPRMM6\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe
"C:\Users\Admin\AppData\Local\Temp\16764b173314ddeb7341f18a7b33066a319476847ba715c53c4f0f8e9ed43a20.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
PID:808

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RedKrypt-Notes-README.txt
1⤵
PID:596

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RedKrypt-Notes-README.txt
1⤵
PID:1828

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnblockMove.css.p.redkrypt
1⤵
- Modifies registry class
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RedKrypt-Notes-README.txt
Filesize
1KB

MD5
79b403009d11ab86054043ca81c9f17e

SHA1
0b02538c4b10fc423e66d3018dcd2218e132808c

SHA256
0f40653e2e00747a38aeebe8bdd7c0b3a61c899cb0a29f1bacb94a8d686e0e79

SHA512
8ecb6ef15baf72dc64f30b00660ada2c4c41098b6f0bd667ae77377ecfa867ddc97d7f43587b0524556fcdf20e28dee48882c30f38d91bf42e160ad4bbca3354

Download Submit
memory/596-60-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/808-54-0x000007FEF4480000-0x000007FEF4EA3000-memory.dmp

Filesize
10.1MB

Download
memory/808-55-0x0000000002832000-0x0000000002842000-memory.dmp

Filesize
64KB

Download
memory/808-56-0x0000000002862000-0x0000000002872000-memory.dmp

Filesize
64KB

Download
memory/808-57-0x0000000001FE6000-0x0000000002005000-memory.dmp

Filesize
124KB

Download
memory/808-58-0x0000000001FE6000-0x0000000002005000-memory.dmp

Filesize
124KB

Download
memory/808-59-0x0000000001FE6000-0x0000000002005000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads