Analysis
-
max time kernel
87s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30/03/2023, 16:24
Static task
static1
Behavioral task
behavioral1
Sample
encryptor.exe
Resource
win7-20230220-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
encryptor.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
encryptor.exe
-
Size
766KB
-
MD5
400fa5d02c1ac704cd290d959b725e67
-
SHA1
456e5cb1739cb5f29020d1a692289a5af07ce90d
-
SHA256
dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac
-
SHA512
0240c6608931d975aa45e2a2c76ea43d311fd4660c091510197e30e65ccb69002e47006d1656abc71425186b3c7823881ae56ea39500afaef0fc4b5094b384ad
-
SSDEEP
12288:aH3fcbXX/qkpwGarA0iKKjk/1RobRWGDmEd7nLTzGnabKJiM:aH3fcbXX9pwGarA0iKj/1RCWGDmIHQpX
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\StopInstall.rawxxyyzzr encryptor.exe File opened for modification C:\Users\Admin\Pictures\PushReset.rawxxyyzzr encryptor.exe File renamed C:\Users\Admin\Pictures\RedoSet.crw => C:\Users\Admin\Pictures\RedoSet.crwxxyyzzr encryptor.exe File renamed C:\Users\Admin\Pictures\StepRegister.tiff => C:\Users\Admin\Pictures\StepRegister.tiffxxyyzzr encryptor.exe File renamed C:\Users\Admin\Pictures\StopInstall.raw => C:\Users\Admin\Pictures\StopInstall.rawxxyyzzr encryptor.exe File renamed C:\Users\Admin\Pictures\TestSubmit.tiff => C:\Users\Admin\Pictures\TestSubmit.tiffxxyyzzr encryptor.exe File opened for modification C:\Users\Admin\Pictures\TestSubmit.tiffxxyyzzr encryptor.exe File renamed C:\Users\Admin\Pictures\TestSubmit.tiffxxyyzzr => C:\Users\Admin\Pictures\TestSubmit.tiff encryptor.exe File opened for modification C:\Users\Admin\Pictures\CheckpointExit.crwxxyyzzr encryptor.exe File renamed C:\Users\Admin\Pictures\LockEnter.raw => C:\Users\Admin\Pictures\LockEnter.rawxxyyzzr encryptor.exe File opened for modification C:\Users\Admin\Pictures\RedoSet.crwxxyyzzr encryptor.exe File opened for modification C:\Users\Admin\Pictures\StepRegister.tiffxxyyzzr encryptor.exe File renamed C:\Users\Admin\Pictures\PushReset.raw => C:\Users\Admin\Pictures\PushReset.rawxxyyzzr encryptor.exe File opened for modification C:\Users\Admin\Pictures\StepRegister.tiff encryptor.exe File renamed C:\Users\Admin\Pictures\StepRegister.tiffxxyyzzr => C:\Users\Admin\Pictures\StepRegister.tiff encryptor.exe File opened for modification C:\Users\Admin\Pictures\TestSubmit.tiff encryptor.exe File renamed C:\Users\Admin\Pictures\CheckpointExit.crw => C:\Users\Admin\Pictures\CheckpointExit.crwxxyyzzr encryptor.exe File renamed C:\Users\Admin\Pictures\DisableExit.png => C:\Users\Admin\Pictures\DisableExit.pngxxyyzzr encryptor.exe File opened for modification C:\Users\Admin\Pictures\DisableExit.pngxxyyzzr encryptor.exe File opened for modification C:\Users\Admin\Pictures\LockEnter.rawxxyyzzr encryptor.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: encryptor.exe File opened (read-only) \??\A: encryptor.exe File opened (read-only) \??\L: encryptor.exe File opened (read-only) \??\V: encryptor.exe File opened (read-only) \??\O: encryptor.exe File opened (read-only) \??\N: encryptor.exe File opened (read-only) \??\M: encryptor.exe File opened (read-only) \??\K: encryptor.exe File opened (read-only) \??\H: encryptor.exe File opened (read-only) \??\Y: encryptor.exe File opened (read-only) \??\U: encryptor.exe File opened (read-only) \??\T: encryptor.exe File opened (read-only) \??\S: encryptor.exe File opened (read-only) \??\R: encryptor.exe File opened (read-only) \??\Q: encryptor.exe File opened (read-only) \??\I: encryptor.exe File opened (read-only) \??\E: encryptor.exe File opened (read-only) \??\Z: encryptor.exe File opened (read-only) \??\B: encryptor.exe File opened (read-only) \??\D: encryptor.exe File opened (read-only) \??\W: encryptor.exe File opened (read-only) \??\P: encryptor.exe File opened (read-only) \??\J: encryptor.exe File opened (read-only) \??\F: encryptor.exe File opened (read-only) \??\X: encryptor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 676 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1996 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe 1780 encryptor.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1780 encryptor.exe Token: SeBackupPrivilege 844 vssvc.exe Token: SeRestorePrivilege 844 vssvc.exe Token: SeAuditPrivilege 844 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1780 wrote to memory of 1064 1780 encryptor.exe 27 PID 1780 wrote to memory of 1064 1780 encryptor.exe 27 PID 1780 wrote to memory of 1064 1780 encryptor.exe 27 PID 1780 wrote to memory of 1064 1780 encryptor.exe 27 PID 1064 wrote to memory of 676 1064 cmd.exe 29 PID 1064 wrote to memory of 676 1064 cmd.exe 29 PID 1064 wrote to memory of 676 1064 cmd.exe 29 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\encryptor.exe"C:\Users\Admin\AppData\Local\Temp\encryptor.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:676
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SkipJoin.php1⤵PID:1796
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SkipJoin.php2⤵
- Opens file in notepad (likely ransom note)
PID:1996
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5a44ca11994384c9bb9242ad15e372723
SHA1f4c457ff8994e721d00326e4853d06f1a2c71e2c
SHA256487223e2f5eb3217ae651068ac0e03b6f28cf20bbe8a9759bd0024cceb9e75da
SHA512666311fc4cb4ce24ff3f6a3c583c1b972fffc93408d4d414f01f2006a9d16ed936d614c06af1eb6f1b514d50a04db79ff520e2b702ad84245bbee7d6887c4c86