43c9c228baf00bc4614fdeb578eb84ad2232cef6c2820046b0b9fec502be573f

General

Target

Crypter.exe
Size

129KB
MD5

9c62af504ce79cc4c0bbcc2612f3c4db
SHA1

37c01dc0342c161569e9d434246dc42962c00860
SHA256

43c9c228baf00bc4614fdeb578eb84ad2232cef6c2820046b0b9fec502be573f
SHA512

3572b9dde32844ba873de6c994dcf42e71bc217806390d6cf9d767d4c837266592087837aa70991604e3bd283a27a6e11d1d48177996213e8575326f86f839f3
SSDEEP

3072:qLbLpVIYbQf91G3im/2Ef07JysgNv8Ofr4pt6Y46ab6koEMQBfjS3f2vYeBgrOi4:qTpVXvxyq6ko0BSveYprzOu3ScuT06

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Crypter.exe

description ioc process

File opened (read-only) \??\D: Crypter.exe

description	ioc	process
File opened (read-only)	\??\D:	Crypter.exe

Drops file in Program Files directory 64 IoCs

Processes:

Crypter.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238959.WMF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui	Crypter.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00345_.WMF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File created	C:\Program Files\DVD Maker\it-IT\#FILE ENCRYPTED.txt	Crypter.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_zh-TW.dll.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PNG32.FLT	Crypter.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsTap.dll	Crypter.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01358_.WMF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00095_.WMF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01154_.WMF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00265_.WMF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01627_.WMF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01080_.WMF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105378.WMF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dll.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00419_.WMF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00640_.WMF	Crypter.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01246_.GIF	Crypter.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	Crypter.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00276_.WMF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00052_.GIF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF	Crypter.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	Crypter.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\#FILE ENCRYPTED.txt	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02793_.WMF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\sbdrop.dll.mui	Crypter.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\#FILE ENCRYPTED.txt	Crypter.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SAFRI_01.MID	Crypter.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\JFONT.DAT	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157167.WMF.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\#FILE ENCRYPTED.txt	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr.jar.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll	Crypter.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui	Crypter.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\#FILE ENCRYPTED.txt	Crypter.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG	Crypter.exe
File opened for modification	C:\Program Files\Internet Explorer\sqmapi.dll	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfr.dll.EMAIL=[antistrees2000@keemail.me]ID=[6A3C5245BE2098C3].BTC	Crypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

524 vssadmin.exe

pid	process
524	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Crypter.exe

pid	process
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe
1428	Crypter.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1820 vssvc.exe
Token: SeRestorePrivilege 1820 vssvc.exe
Token: SeAuditPrivilege 1820 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1820	vssvc.exe
Token: SeRestorePrivilege	1820	vssvc.exe
Token: SeAuditPrivilege	1820	vssvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Crypter.execmd.exe

description	pid	process	target process
PID 1428 wrote to memory of 1364	1428	Crypter.exe	cmd.exe
PID 1428 wrote to memory of 1364	1428	Crypter.exe	cmd.exe
PID 1428 wrote to memory of 1364	1428	Crypter.exe	cmd.exe
PID 1428 wrote to memory of 1364	1428	Crypter.exe	cmd.exe
PID 1364 wrote to memory of 524	1364	cmd.exe	vssadmin.exe
PID 1364 wrote to memory of 524	1364	cmd.exe	vssadmin.exe
PID 1364 wrote to memory of 524	1364	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#FILE ENCRYPTED.txt
1⤵
PID:964

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\#FILE ENCRYPTED.txt
Filesize
332B

MD5
94250996214fbc1194e5d00ca0472059

SHA1
4aa601fd325613df0d1e070cd9b97aaeba31033e

SHA256
9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d

SHA512
8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f

Download Submit
C:\Users\Admin\Desktop\#FILE ENCRYPTED.txt
Filesize
332B

MD5
94250996214fbc1194e5d00ca0472059

SHA1
4aa601fd325613df0d1e070cd9b97aaeba31033e

SHA256
9dbda2ff049da53281eb3336461d309b8da1de14c11169187dcfc08dcbfe4b7d

SHA512
8ff4dfbe8cfd6c7ab86d045827a3fa79303f77e6fa4c9ef1d5000cbf36e9a8b8c397ec2fc98de341305151872e7a50e9184a385fc703907384cb5fdaba57938f

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads