a673316d048b600b1b9a36f2cb44d1ebd1ad775858c0b231bacd71d0c23d6d59

General

Target

encryptor.exe
Size

766KB
MD5

400fa5d02c1ac704cd290d959b725e67
SHA1

456e5cb1739cb5f29020d1a692289a5af07ce90d
SHA256

dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac
SHA512

0240c6608931d975aa45e2a2c76ea43d311fd4660c091510197e30e65ccb69002e47006d1656abc71425186b3c7823881ae56ea39500afaef0fc4b5094b384ad
SSDEEP

12288:aH3fcbXX/qkpwGarA0iKKjk/1RobRWGDmEd7nLTzGnabKJiM:aH3fcbXX9pwGarA0iKj/1RCWGDmIHQpX

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 20 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

encryptor.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\StopInstall.rawxxyyzzr	encryptor.exe
File opened for modification	C:\Users\Admin\Pictures\PushReset.rawxxyyzzr	encryptor.exe
File renamed	C:\Users\Admin\Pictures\RedoSet.crw => C:\Users\Admin\Pictures\RedoSet.crwxxyyzzr	encryptor.exe
File renamed	C:\Users\Admin\Pictures\StepRegister.tiff => C:\Users\Admin\Pictures\StepRegister.tiffxxyyzzr	encryptor.exe
File renamed	C:\Users\Admin\Pictures\StopInstall.raw => C:\Users\Admin\Pictures\StopInstall.rawxxyyzzr	encryptor.exe
File renamed	C:\Users\Admin\Pictures\TestSubmit.tiff => C:\Users\Admin\Pictures\TestSubmit.tiffxxyyzzr	encryptor.exe
File opened for modification	C:\Users\Admin\Pictures\TestSubmit.tiffxxyyzzr	encryptor.exe
File renamed	C:\Users\Admin\Pictures\TestSubmit.tiffxxyyzzr => C:\Users\Admin\Pictures\TestSubmit.tiff	encryptor.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointExit.crwxxyyzzr	encryptor.exe
File renamed	C:\Users\Admin\Pictures\LockEnter.raw => C:\Users\Admin\Pictures\LockEnter.rawxxyyzzr	encryptor.exe
File opened for modification	C:\Users\Admin\Pictures\RedoSet.crwxxyyzzr	encryptor.exe
File opened for modification	C:\Users\Admin\Pictures\StepRegister.tiffxxyyzzr	encryptor.exe
File renamed	C:\Users\Admin\Pictures\PushReset.raw => C:\Users\Admin\Pictures\PushReset.rawxxyyzzr	encryptor.exe
File opened for modification	C:\Users\Admin\Pictures\StepRegister.tiff	encryptor.exe
File renamed	C:\Users\Admin\Pictures\StepRegister.tiffxxyyzzr => C:\Users\Admin\Pictures\StepRegister.tiff	encryptor.exe
File opened for modification	C:\Users\Admin\Pictures\TestSubmit.tiff	encryptor.exe
File renamed	C:\Users\Admin\Pictures\CheckpointExit.crw => C:\Users\Admin\Pictures\CheckpointExit.crwxxyyzzr	encryptor.exe
File renamed	C:\Users\Admin\Pictures\DisableExit.png => C:\Users\Admin\Pictures\DisableExit.pngxxyyzzr	encryptor.exe
File opened for modification	C:\Users\Admin\Pictures\DisableExit.pngxxyyzzr	encryptor.exe
File opened for modification	C:\Users\Admin\Pictures\LockEnter.rawxxyyzzr	encryptor.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

encryptor.exe

description	ioc	process
File opened (read-only)	\??\G:	encryptor.exe
File opened (read-only)	\??\A:	encryptor.exe
File opened (read-only)	\??\L:	encryptor.exe
File opened (read-only)	\??\V:	encryptor.exe
File opened (read-only)	\??\O:	encryptor.exe
File opened (read-only)	\??\N:	encryptor.exe
File opened (read-only)	\??\M:	encryptor.exe
File opened (read-only)	\??\K:	encryptor.exe
File opened (read-only)	\??\H:	encryptor.exe
File opened (read-only)	\??\Y:	encryptor.exe
File opened (read-only)	\??\U:	encryptor.exe
File opened (read-only)	\??\T:	encryptor.exe
File opened (read-only)	\??\S:	encryptor.exe
File opened (read-only)	\??\R:	encryptor.exe
File opened (read-only)	\??\Q:	encryptor.exe
File opened (read-only)	\??\I:	encryptor.exe
File opened (read-only)	\??\E:	encryptor.exe
File opened (read-only)	\??\Z:	encryptor.exe
File opened (read-only)	\??\B:	encryptor.exe
File opened (read-only)	\??\D:	encryptor.exe
File opened (read-only)	\??\W:	encryptor.exe
File opened (read-only)	\??\P:	encryptor.exe
File opened (read-only)	\??\J:	encryptor.exe
File opened (read-only)	\??\F:	encryptor.exe
File opened (read-only)	\??\X:	encryptor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

676 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1996 NOTEPAD.EXE

pid	process
676	vssadmin.exe

pid	process
1996	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

encryptor.exe

pid	process
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe
1780	encryptor.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

encryptor.exevssvc.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1780	encryptor.exe
Token: SeBackupPrivilege	844	vssvc.exe
Token: SeRestorePrivilege	844	vssvc.exe
Token: SeAuditPrivilege	844	vssvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

encryptor.execmd.exe

description	pid	process	target process
PID 1780 wrote to memory of 1064	1780	encryptor.exe	cmd.exe
PID 1780 wrote to memory of 1064	1780	encryptor.exe	cmd.exe
PID 1780 wrote to memory of 1064	1780	encryptor.exe	cmd.exe
PID 1780 wrote to memory of 1064	1780	encryptor.exe	cmd.exe
PID 1064 wrote to memory of 676	1064	cmd.exe	vssadmin.exe
PID 1064 wrote to memory of 676	1064	cmd.exe	vssadmin.exe
PID 1064 wrote to memory of 676	1064	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\encryptor.exe
"C:\Users\Admin\AppData\Local\Temp\encryptor.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SkipJoin.php
1⤵
PID:1796

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SkipJoin.php
2⤵
- Opens file in notepad (likely ransom note)
PID:1996

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\SkipJoin.php
Filesize
1.0MB

MD5
a44ca11994384c9bb9242ad15e372723

SHA1
f4c457ff8994e721d00326e4853d06f1a2c71e2c

SHA256
487223e2f5eb3217ae651068ac0e03b6f28cf20bbe8a9759bd0024cceb9e75da

SHA512
666311fc4cb4ce24ff3f6a3c583c1b972fffc93408d4d414f01f2006a9d16ed936d614c06af1eb6f1b514d50a04db79ff520e2b702ad84245bbee7d6887c4c86

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads