Analysis Overview
SHA256
43c9c228baf00bc4614fdeb578eb84ad2232cef6c2820046b0b9fec502be573f
Threat Level: Likely malicious
The file Crypter.exe was found to be: Likely malicious.
Malicious Activity Summary
Deletes shadow copies
Modifies extensions of user files
Checks computer location settings
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Interacts with shadow copies
Modifies registry class
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-28 06:55
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-28 06:55
Reported
2023-03-28 06:57
Platform
win10v2004-20230221-en
Max time kernel
132s
Max time network
132s
Command Line
Signatures
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\UseWrite.tiff | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.INF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-selector.css | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\[email protected] | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\#FILE ENCRYPTED.txt | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\resources.jar.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-150.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-400.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ks_IN\#FILE ENCRYPTED.txt | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sl.pak.DATA.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File created | C:\Program Files\Java\jre1.8.0_66\lib\applet\#FILE ENCRYPTED.txt | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-150_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\#FILE ENCRYPTED.txt | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-colorize.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-72.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\12.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\COPYRIGHT.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Excluded.txt.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\#FILE ENCRYPTED.txt | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\manifest.json | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Toast.svg.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinResearcher.xml | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\ui-strings.js.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\de.pak | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\ui-strings.js.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4568 wrote to memory of 4572 | N/A | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | C:\Windows\System32\cmd.exe |
| PID 4568 wrote to memory of 4572 | N/A | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | C:\Windows\System32\cmd.exe |
| PID 4572 wrote to memory of 224 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 4572 wrote to memory of 224 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 4568 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | C:\Windows\System32\cmd.exe |
| PID 4568 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | C:\Windows\System32\cmd.exe |
| PID 3224 wrote to memory of 4876 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 3224 wrote to memory of 4876 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#FILE ENCRYPTED.txt
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.210.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 95.101.74.151:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 151.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
Files
C:\ProgramData\#FILE ENCRYPTED.txt
| MD5 | 94250996214fbc1194e5d00ca0472059 |
| SHA1 | 4aa601fd325613df0d1e070cd9b97aaeba31033e |
| SHA256 | 9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d |
| SHA512 | 8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\~tartUnifiedTileModelCache.tmp
| MD5 | d1526c611fbfa91ce5d14239ae65da65 |
| SHA1 | 9a0e562796985467c8e64545427f13506a4e7487 |
| SHA256 | 167aa904fbe7aab5885a364596c3f01efca69badbb90ca8c2660ea3e46ec4ae2 |
| SHA512 | 94e5601e35a84ac3d8838ff2ee45c60a2072a5e030fdfbb6e518f731b88b56e0da4b002d34129598d64e8025274aef8a0e44ca82ddb32c8214073def3740105d |
C:\Users\Admin\Desktop\#FILE ENCRYPTED.txt
| MD5 | 94250996214fbc1194e5d00ca0472059 |
| SHA1 | 4aa601fd325613df0d1e070cd9b97aaeba31033e |
| SHA256 | 9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d |
| SHA512 | 8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f |
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-28 06:55
Reported
2023-03-28 06:57
Platform
win7-20230220-en
Max time kernel
150s
Max time network
33s
Command Line
Signatures
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\ConvertFromWatch.tiff | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SelectFind.tiff | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Bahia.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\be\#FILE ENCRYPTED.txt | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\#FILE ENCRYPTED.txt | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\EAWFINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115867.GIF | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187817.WMF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.INF | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00136_.WMF | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\bod_r.TTF | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222019.WMF | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL054.XML.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\jfxrt.jar.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Major Indicies.iqy | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292272.WMF | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.MMW | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR39F.GIF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpenc.exe | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\#FILE ENCRYPTED.txt | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\#FILE ENCRYPTED.txt | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14829_.GIF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\it-IT\Journal.exe.mui | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER98.POC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\#FILE ENCRYPTED.txt | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\SCNPST64.DLL | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00057_.GIF.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h.EMAIL=[[email protected]]ID=[6A3C5245BE2098C3].BTC | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2000 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | C:\Windows\System32\cmd.exe |
| PID 2000 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | C:\Windows\System32\cmd.exe |
| PID 2000 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | C:\Windows\System32\cmd.exe |
| PID 2000 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\Crypter.exe | C:\Windows\System32\cmd.exe |
| PID 932 wrote to memory of 464 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 932 wrote to memory of 464 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 932 wrote to memory of 464 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#FILE ENCRYPTED.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\#FILE ENCRYPTED.txt
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
Network
Files
C:\Users\#FILE ENCRYPTED.txt
| MD5 | 94250996214fbc1194e5d00ca0472059 |
| SHA1 | 4aa601fd325613df0d1e070cd9b97aaeba31033e |
| SHA256 | 9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d |
| SHA512 | 8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f |
C:\Users\Admin\Desktop\#FILE ENCRYPTED.txt
| MD5 | 94250996214fbc1194e5d00ca0472059 |
| SHA1 | 4aa601fd325613df0d1e070cd9b97aaeba31033e |
| SHA256 | 9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d |
| SHA512 | 8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f |
C:\Users\Admin\Documents\#FILE ENCRYPTED.txt
| MD5 | 94250996214fbc1194e5d00ca0472059 |
| SHA1 | 4aa601fd325613df0d1e070cd9b97aaeba31033e |
| SHA256 | 9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d |
| SHA512 | 8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f |