bf086bbd8fc8eb68170b745d66afbda7a9a2a9c45cacb4dc7b9b8d1d5e40d9b6

General

Target

encrypt.exe
Size

5.7MB
MD5

21ac2a16194adb35644571e32c6fcd8f
SHA1

8757fe9ff4555f90df7f61855e5762e2c3f1aa21
SHA256

bf086bbd8fc8eb68170b745d66afbda7a9a2a9c45cacb4dc7b9b8d1d5e40d9b6
SHA512

5d3035454015b30269aa7f7ef7ef45c1da53b347c7eb68424f230f2461ce96f33ca04ef87c58bf1190c9a62df8764017ff6a65ddce3c2876e2acfd6243f604c5
SSDEEP

98304:b08mDk/6MgKCAglYYP3YlZ0iSUo+LXl2QXewr6ELoJMjfxzhUu8/xYvAkvl:b09M+GYPolZ0iJLXBeePcMlj40

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2260	WINWORD.EXE
2260	WINWORD.EXE
4740	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3392	mspaint.exe
3392	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4740	vlc.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe
4740	vlc.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3392	mspaint.exe
4868	OpenWith.exe
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
2260	WINWORD.EXE
4740	vlc.exe

C:\Users\Admin\AppData\Local\Temp\encrypt.exe
"C:\Users\Admin\AppData\Local\Temp\encrypt.exe"
1⤵
PID:4544

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\EditHide.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1476

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\GrantCompare.odt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResumeInstall.avi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
79B

MD5
edf24781f929616eeb56dee54e78fd86

SHA1
dadfa44a4f3e532059b08915b1402c0db4b0eb14

SHA256
2072a9956f39be03a762164be9532e5586606349e0c1a906ba3d53c2ee2fa5a2

SHA512
9fc6f406b8f31cffeea38f876becfd5878368d7f589249f60f85553b8621294168f95eba46b247eb043be6d4d442d2339198da8d1ce6537e794e0203cbdc12fb

Download Submit
memory/2260-183-0x00007FF9463D0000-0x00007FF9463E0000-memory.dmp

Filesize
64KB

Download
memory/2260-157-0x00007FF9463D0000-0x00007FF9463E0000-memory.dmp

Filesize
64KB

Download
memory/2260-159-0x00007FF944370000-0x00007FF944380000-memory.dmp

Filesize
64KB

Download
memory/2260-160-0x00007FF944370000-0x00007FF944380000-memory.dmp

Filesize
64KB

Download
memory/2260-184-0x00007FF9463D0000-0x00007FF9463E0000-memory.dmp

Filesize
64KB

Download
memory/2260-182-0x00007FF9463D0000-0x00007FF9463E0000-memory.dmp

Filesize
64KB

Download
memory/2260-181-0x00007FF9463D0000-0x00007FF9463E0000-memory.dmp

Filesize
64KB

Download
memory/2260-158-0x00007FF9463D0000-0x00007FF9463E0000-memory.dmp

Filesize
64KB

Download
memory/2260-154-0x00007FF9463D0000-0x00007FF9463E0000-memory.dmp

Filesize
64KB

Download
memory/2260-155-0x00007FF9463D0000-0x00007FF9463E0000-memory.dmp

Filesize
64KB

Download
memory/2260-156-0x00007FF9463D0000-0x00007FF9463E0000-memory.dmp

Filesize
64KB

Download
memory/3324-137-0x0000015991D60000-0x0000015991D70000-memory.dmp

Filesize
64KB

Download
memory/3324-149-0x000001599A9A0000-0x000001599A9A1000-memory.dmp

Filesize
4KB

Download
memory/3324-146-0x000001599A910000-0x000001599A911000-memory.dmp

Filesize
4KB

Download
memory/3324-152-0x000001599A9A0000-0x000001599A9A1000-memory.dmp

Filesize
4KB

Download
memory/3324-151-0x000001599A9A0000-0x000001599A9A1000-memory.dmp

Filesize
4KB

Download
memory/3324-150-0x000001599A9A0000-0x000001599A9A1000-memory.dmp

Filesize
4KB

Download
memory/3324-133-0x00000159915A0000-0x00000159915B0000-memory.dmp

Filesize
64KB

Download
memory/3324-144-0x000001599A890000-0x000001599A891000-memory.dmp

Filesize
4KB

Download
memory/3324-148-0x000001599A910000-0x000001599A911000-memory.dmp

Filesize
4KB

Download
memory/4740-204-0x00007FF7828D0000-0x00007FF7829C8000-memory.dmp

Filesize
992KB

Download
memory/4740-205-0x00007FF978200000-0x00007FF978234000-memory.dmp

Filesize
208KB

Download
memory/4740-206-0x00007FF9651D0000-0x00007FF965484000-memory.dmp

Filesize
2.7MB

Download
memory/4740-207-0x00007FF963F20000-0x00007FF964FCB000-memory.dmp

Filesize
16.7MB

Download
memory/4740-208-0x00007FF9635E0000-0x00007FF9636F2000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads