Malware Analysis Report

2025-08-10 22:59

Sample ID 230328-hpt71ahe24
Target Crypter.exe
SHA256 43c9c228baf00bc4614fdeb578eb84ad2232cef6c2820046b0b9fec502be573f
Tags
ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

43c9c228baf00bc4614fdeb578eb84ad2232cef6c2820046b0b9fec502be573f

Threat Level: Likely malicious

The file Crypter.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware spyware stealer

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Interacts with shadow copies

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-28 06:55

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-28 06:55

Reported

2023-03-28 06:57

Platform

win10v2004-20230221-en

Max time kernel

132s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"

Signatures

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\UseWrite.tiff C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.INF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-selector.css C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\#FILE ENCRYPTED.txt C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\resources.jar.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-400.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\#FILE ENCRYPTED.txt C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sl.pak.DATA.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\applet\#FILE ENCRYPTED.txt C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\#FILE ENCRYPTED.txt C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-72.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\12.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\COPYRIGHT.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Excluded.txt.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\#FILE ENCRYPTED.txt C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\manifest.json C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Toast.svg.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinResearcher.xml C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\ui-strings.js.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\de.pak C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\ui-strings.js.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Crypter.exe

"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#FILE ENCRYPTED.txt

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 67.169.210.20.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 95.101.74.151:443 assets.msn.com tcp
US 8.8.8.8:53 151.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp

Files

C:\ProgramData\#FILE ENCRYPTED.txt

MD5 94250996214fbc1194e5d00ca0472059
SHA1 4aa601fd325613df0d1e070cd9b97aaeba31033e
SHA256 9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d
SHA512 8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\~tartUnifiedTileModelCache.tmp

MD5 d1526c611fbfa91ce5d14239ae65da65
SHA1 9a0e562796985467c8e64545427f13506a4e7487
SHA256 167aa904fbe7aab5885a364596c3f01efca69badbb90ca8c2660ea3e46ec4ae2
SHA512 94e5601e35a84ac3d8838ff2ee45c60a2072a5e030fdfbb6e518f731b88b56e0da4b002d34129598d64e8025274aef8a0e44ca82ddb32c8214073def3740105d

C:\Users\Admin\Desktop\#FILE ENCRYPTED.txt

MD5 94250996214fbc1194e5d00ca0472059
SHA1 4aa601fd325613df0d1e070cd9b97aaeba31033e
SHA256 9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d
SHA512 8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-28 06:55

Reported

2023-03-28 06:57

Platform

win7-20230220-en

Max time kernel

150s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"

Signatures

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\ConvertFromWatch.tiff C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Users\Admin\Pictures\SelectFind.tiff C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bahia.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\be\#FILE ENCRYPTED.txt C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\#FILE ENCRYPTED.txt C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EAWFINTL.DLL C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115867.GIF C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187817.WMF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.INF C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00136_.WMF C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\DVD Maker\bod_r.TTF C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222019.WMF C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL054.XML.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\jfxrt.jar.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Major Indicies.iqy C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292272.WMF C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.MMW C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR39F.GIF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpenc.exe C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\#FILE ENCRYPTED.txt C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\#FILE ENCRYPTED.txt C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14829_.GIF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Windows Journal\it-IT\Journal.exe.mui C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER98.POC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\#FILE ENCRYPTED.txt C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCNPST64.DLL C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00057_.GIF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypter.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Crypter.exe

"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#FILE ENCRYPTED.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\#FILE ENCRYPTED.txt

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

N/A

Files

C:\Users\#FILE ENCRYPTED.txt

MD5 94250996214fbc1194e5d00ca0472059
SHA1 4aa601fd325613df0d1e070cd9b97aaeba31033e
SHA256 9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d
SHA512 8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f

C:\Users\Admin\Desktop\#FILE ENCRYPTED.txt

MD5 94250996214fbc1194e5d00ca0472059
SHA1 4aa601fd325613df0d1e070cd9b97aaeba31033e
SHA256 9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d
SHA512 8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f

C:\Users\Admin\Documents\#FILE ENCRYPTED.txt

MD5 94250996214fbc1194e5d00ca0472059
SHA1 4aa601fd325613df0d1e070cd9b97aaeba31033e
SHA256 9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d
SHA512 8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f